package com.sun.deploy.security;

import com.sun.deploy.config.Config;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.services.Service;
import com.sun.deploy.services.ServiceManager;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.util.DeployLock;
import com.sun.deploy.util.Trace;
import java.io.DataInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.security.Timestamp;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import sun.security.provider.certpath.OCSP;
import sun.security.validator.PKIXValidator;
import sun.security.validator.Validator;
import sun.security.validator.ValidatorException;

/* loaded from: input_file:com/sun/deploy/security/TrustDecider.class */
public class TrustDecider {
    private static CertStore rootStore = null;
    private static CertStore permanentStore = null;
    private static CertStore sessionStore = null;
    private static CertStore deniedStore = null;
    private static CertStore browserRootStore = null;
    private static CertStore browserTrustedStore = null;
    private static List jurisdictionList = null;
    private static final List preTrustList = Collections.singletonList("OU=Java Signed Extensions,OU=Corporate Object Signing,O=Sun Microsystems Inc");
    private static boolean isBrowserRootStoreLoaded = false;
    private static X509CRL crl509 = null;
    private static boolean ocspValidConfig = false;
    private static String ocspSigner = null;
    private static String ocspURL = null;
    private static boolean crlCheck = false;
    private static boolean ocspCheck = false;
    private static boolean ocspEECheck = false;
    private static HashSet deniedURL = null;
    private static DeployLock deployLock;
    public static final long PERMISSION_GRANTED_FOR_SESSION = 1;
    public static final long PERMISSION_DENIED = 0;

    public static void resetDenyStore() {
        Trace.msgSecurityPrintln("trustdecider.check.reset.denystore");
        boolean z = false;
        try {
            try {
                z = deployLock.lock();
                deniedStore = new DeniedCertStore();
                deniedURL.clear();
                if (z) {
                    deployLock.unlock();
                }
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (z) {
                deployLock.unlock();
            }
            throw th;
        }
    }

    public static HashSet getDeniedURL() {
        boolean z = false;
        try {
            try {
                z = deployLock.lock();
                HashSet hashSet = deniedURL;
                if (z) {
                    deployLock.unlock();
                }
                return hashSet;
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (z) {
                deployLock.unlock();
            }
            throw th;
        }
    }

    public static void reset() {
        boolean z = false;
        try {
            try {
                z = deployLock.lock();
                rootStore = RootCertStore.getCertStore();
                permanentStore = DeploySigningCertStore.getCertStore();
                sessionStore = new SessionCertStore();
                deniedStore = new DeniedCertStore();
                deniedURL = new HashSet();
                jurisdictionList = null;
                if (Config.getBooleanProperty(Config.SEC_USE_PRETRUST_LIST_KEY)) {
                    jurisdictionList = preTrustList;
                }
                if (Config.getBooleanProperty(Config.SEC_USE_BROWSER_KEYSTORE_KEY)) {
                    Service service = ServiceManager.getService();
                    browserRootStore = service.getBrowserSigningRootCertStore();
                    browserTrustedStore = service.getBrowserTrustedCertStore();
                    isBrowserRootStoreLoaded = false;
                }
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.deploy.security.TrustDecider.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            String property;
                            boolean unused = TrustDecider.crlCheck = Config.getBooleanProperty(Config.SEC_USE_VALIDATION_CRL_KEY);
                            if (!TrustDecider.crlCheck || (property = Config.getProperty(Config.SEC_USE_VALIDATION_CRL_URL_KEY)) == null || property.length() <= 0) {
                                return null;
                            }
                            CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
                            URLConnection openConnection = new URL(property).openConnection();
                            openConnection.setDoInput(true);
                            openConnection.setUseCaches(false);
                            DataInputStream dataInputStream = new DataInputStream(openConnection.getInputStream());
                            X509CRL unused2 = TrustDecider.crl509 = (X509CRL) certificateFactory.generateCRL(dataInputStream);
                            dataInputStream.close();
                            return null;
                        }
                    });
                } catch (PrivilegedActionException e) {
                    e.printStackTrace();
                }
                try {
                    AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.deploy.security.TrustDecider.2
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            boolean unused = TrustDecider.ocspCheck = Config.getBooleanProperty(Config.SEC_USE_VALIDATION_OCSP_KEY);
                            if (TrustDecider.ocspCheck) {
                                String unused2 = TrustDecider.ocspSigner = Config.getProperty(Config.SEC_USE_VALIDATION_OCSP_SIGNER_KEY);
                                String unused3 = TrustDecider.ocspURL = Config.getProperty(Config.SEC_USE_VALIDATION_OCSP_URL_KEY);
                                if (TrustDecider.ocspSigner != null && TrustDecider.ocspSigner.length() > 0 && TrustDecider.ocspURL != null && TrustDecider.ocspURL.length() > 0) {
                                    boolean unused4 = TrustDecider.ocspValidConfig = true;
                                }
                            }
                            boolean unused5 = TrustDecider.ocspEECheck = Config.getBooleanProperty(Config.SEC_USE_VALIDATION_OCSP_EE_KEY);
                            return null;
                        }
                    });
                } catch (PrivilegedActionException e2) {
                    e2.printStackTrace();
                }
                if (z) {
                    deployLock.unlock();
                }
            } catch (Throwable th) {
                if (z) {
                    deployLock.unlock();
                }
                throw th;
            }
        } catch (InterruptedException e3) {
            throw new RuntimeException(e3);
        }
    }

    public static long isAllPermissionGranted(CodeSource codeSource) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException, CRLException, InvalidAlgorithmParameterException {
        return isAllPermissionGranted(codeSource, new AppInfo());
    }

    public static long isAllPermissionGranted(CodeSource codeSource, AppInfo appInfo) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException, CRLException, InvalidAlgorithmParameterException {
        return isAllPermissionGranted(codeSource, appInfo, false);
    }

    /* JADX WARN: Finally extract failed */
    public static synchronized long isAllPermissionGranted(CodeSource codeSource, AppInfo appInfo, boolean z) throws CertificateEncodingException, CertificateExpiredException, CertificateNotYetValidException, CertificateParsingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, IOException, CRLException, InvalidAlgorithmParameterException {
        boolean z2;
        boolean z3 = crlCheck;
        boolean z4 = ocspCheck;
        boolean z5 = ocspEECheck;
        try {
            try {
                boolean lock = deployLock.lock();
                Certificate[] certificates = codeSource.getCertificates();
                URL location = codeSource.getLocation();
                if (certificates == null) {
                    if (lock) {
                        deployLock.unlock();
                    }
                    return 0L;
                }
                int i = 0;
                int i2 = 0;
                int i3 = 0;
                rootStore.load();
                permanentStore.load();
                sessionStore.load();
                deniedStore.load();
                if (browserRootStore != null && !isBrowserRootStoreLoaded) {
                    browserRootStore.load();
                    isBrowserRootStoreLoaded = true;
                }
                if (browserTrustedStore != null) {
                    browserTrustedStore.load();
                }
                ArrayList arrayList = new ArrayList();
                while (i2 < certificates.length) {
                    ArrayList arrayList2 = new ArrayList();
                    int i4 = i;
                    while (i4 + 1 < certificates.length && (certificates[i4] instanceof X509Certificate) && (certificates[i4 + 1] instanceof X509Certificate) && CertUtils.isIssuerOf((X509Certificate) certificates[i4], (X509Certificate) certificates[i4 + 1])) {
                        i4++;
                    }
                    i2 = i4 + 1;
                    for (int i5 = i; i5 < i2; i5++) {
                        arrayList2.add(certificates[i5]);
                    }
                    arrayList.add(arrayList2);
                    i = i2;
                    i3++;
                }
                try {
                    z2 = Class.forName("sun.security.validator.Validator", true, ClassLoader.getSystemClassLoader()) != null;
                } catch (ClassNotFoundException e) {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.notfound");
                    z2 = false;
                }
                if (Config.isJavaVersionAtLeast16() && z2) {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.certpath.algorithm");
                    boolean z6 = false;
                    boolean z7 = false;
                    long j = 0;
                    int i6 = 0;
                    boolean z8 = false;
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    linkedHashSet.addAll(rootStore.getCertificates());
                    if (browserRootStore != null) {
                        linkedHashSet.addAll(browserRootStore.getCertificates());
                    }
                    HashMap hashMap = new HashMap();
                    Iterator it = linkedHashSet.iterator();
                    while (it.hasNext()) {
                        X509Certificate x509Certificate = (X509Certificate) it.next();
                        hashMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
                    }
                    Iterator it2 = arrayList.iterator();
                    int i7 = 0;
                    while (it2.hasNext()) {
                        X509Certificate[] x509CertificateArr = (X509Certificate[]) ((List) it2.next()).toArray(new X509Certificate[0]);
                        CertificateExpiredException certificateExpiredException = null;
                        CertificateNotYetValidException certificateNotYetValidException = null;
                        long j2 = Long.MAX_VALUE;
                        for (int i8 = 0; i8 < x509CertificateArr.length; i8++) {
                            long time = x509CertificateArr[i8].getNotAfter().getTime();
                            if (time < j2) {
                                j2 = time;
                            }
                            try {
                                x509CertificateArr[i8].checkValidity();
                            } catch (CertificateExpiredException e2) {
                                if (certificateExpiredException == null) {
                                    certificateExpiredException = e2;
                                    i6 = -1;
                                    z8 = -1;
                                    z7 = true;
                                }
                            } catch (CertificateNotYetValidException e3) {
                                if (certificateNotYetValidException == null) {
                                    certificateNotYetValidException = e3;
                                    i6 = 1;
                                    z8 = true;
                                    z7 = true;
                                }
                            }
                        }
                        int length = x509CertificateArr.length;
                        X509Certificate x509Certificate2 = x509CertificateArr[length - 1];
                        if (x509Certificate2.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal()) && !linkedHashSet.contains(x509Certificate2)) {
                            if (!isReplacedCA(hashMap, x509Certificate2)) {
                                if (!Config.getBooleanProperty(Config.SEC_ASKGRANT_NOTCA_KEY)) {
                                    throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.notinca"));
                                }
                                z6 = true;
                            }
                            linkedHashSet.add(x509Certificate2);
                        }
                        Date date = null;
                        try {
                            Timestamp timestamp = codeSource.getCodeSigners()[i7].getTimestamp();
                            if (timestamp != null) {
                                Trace.msgSecurityPrintln("trustdecider.check.timestamping.yes");
                                date = timestamp.getTimestamp();
                                CertPath signerCertPath = timestamp.getSignerCertPath();
                                if (z7) {
                                    Trace.msgSecurityPrintln("trustdecider.check.timestamping.need");
                                    Date notAfter = x509CertificateArr[length - 1].getNotAfter();
                                    Date notBefore = x509CertificateArr[length - 1].getNotBefore();
                                    if (date.before(notAfter) && date.after(notBefore)) {
                                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.valid");
                                        if (checkTSAPath(signerCertPath, linkedHashSet)) {
                                            z7 = false;
                                            i6 = 0;
                                        } else {
                                            date = null;
                                        }
                                    } else {
                                        Trace.msgSecurityPrintln("trustdecider.check.timestamping.invalid");
                                    }
                                } else {
                                    Trace.msgSecurityPrintln("trustdecider.check.timestamping.noneed");
                                }
                            } else {
                                Trace.msgSecurityPrintln("trustdecider.check.timestamping.no");
                            }
                        } catch (NoSuchMethodError e4) {
                            Trace.msgSecurityPrintln("trustdecider.check.timestamping.notfound");
                        }
                        boolean z9 = false;
                        if (jurisdictionList != null) {
                            Trace.msgSecurityPrintln("trustdecider.check.jurisdiction.found");
                            if (z6 || i6 != 0) {
                                Trace.msgSecurityPrintln("trustdecider.check.trustextension.off");
                            } else {
                                Trace.msgSecurityPrintln("trustdecider.check.trustextension.on");
                                z9 = checkTrustedExtension(x509CertificateArr[0]);
                            }
                        } else {
                            Trace.msgSecurityPrintln("trustdecider.check.jurisdiction.notfound");
                        }
                        if (!z6 && !z8 && appInfo.getType() == 3 && !z && !z9 && !permanentStore.contains(x509CertificateArr[0])) {
                            z5 = true;
                            Trace.msgSecurityPrintln("trustdecider.check.extensioninstall.on");
                        }
                        boolean z10 = false;
                        boolean z11 = false;
                        PKIXParameters pKIXParameters = null;
                        try {
                            try {
                                PKIXValidator validator = Validator.getInstance("PKIX", "plugin code signing", linkedHashSet);
                                PKIXValidator pKIXValidator = validator;
                                pKIXParameters = pKIXValidator.getParameters();
                                pKIXParameters.addCertPathChecker(new DeployCertPathChecker(pKIXValidator));
                                if (z3) {
                                    Trace.msgSecurityPrintln("trustdecider.check.validation.crl.on");
                                    if (crl509 != null) {
                                        z10 = true;
                                    } else {
                                        for (X509Certificate x509Certificate3 : x509CertificateArr) {
                                            if (CertUtils.getCertCRLExtension(x509Certificate3)) {
                                                z10 = true;
                                            }
                                        }
                                    }
                                    pKIXParameters = doCRLValidation(pKIXParameters, z10);
                                } else {
                                    Trace.msgSecurityPrintln("trustdecider.check.validation.crl.off");
                                }
                                if (z4) {
                                    Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.on");
                                    if (ocspValidConfig) {
                                        z11 = true;
                                    } else {
                                        for (X509Certificate x509Certificate4 : x509CertificateArr) {
                                            if (CertUtils.getCertAIAExtension(x509Certificate4)) {
                                                z11 = true;
                                            }
                                        }
                                    }
                                    doOCSPValidation(pKIXParameters, linkedHashSet, x509CertificateArr, z11, z3);
                                } else {
                                    Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.off");
                                }
                                X509Certificate[] x509CertificateArr2 = new X509Certificate[length];
                                for (int i9 = 0; i9 < length; i9++) {
                                    x509CertificateArr2[i9] = new X509CertificateWrapper(x509CertificateArr[i9]);
                                }
                                validator.validate(x509CertificateArr2);
                                if ((z3 && z10) || (z4 && z11)) {
                                    Trace.msgSecurityPrintln("trustdecider.check.revocation.succeed");
                                }
                                Security.setProperty("com.sun.security.onlyCheckRevocationOfEECert", "false");
                            } catch (Throwable th) {
                                Security.setProperty("com.sun.security.onlyCheckRevocationOfEECert", "false");
                                throw th;
                            }
                        } catch (IOException e5) {
                            Trace.msgSecurityPrintln(e5.getMessage());
                            throw e5;
                        } catch (InvalidAlgorithmParameterException e6) {
                            Trace.msgSecurityPrintln(e6.getMessage());
                            throw e6;
                        } catch (CRLException e7) {
                            Trace.msgSecurityPrintln(e7.getMessage());
                            throw e7;
                        } catch (CertificateException e8) {
                            if (!Config.getBooleanProperty(Config.SEC_ASKGRANT_NOTCA_KEY)) {
                                throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.notinca"));
                            }
                            if (!(e8 instanceof ValidatorException)) {
                                throw e8;
                            }
                            ValidatorException validatorException = e8;
                            if (!ValidatorException.T_NO_TRUST_ANCHOR.equals(validatorException.getErrorType())) {
                                if ((!z3 || 0 == 0) && (!z4 || 0 == 0)) {
                                    throw validatorException;
                                }
                                String message = validatorException.getMessage();
                                if (message.contains("Certificate has been revoked")) {
                                    Trace.msgSecurityPrintln("trustdecider.check.validation.revoked");
                                } else {
                                    Trace.msgSecurityPrintln(message);
                                }
                                throw validatorException;
                            }
                            z6 = true;
                            Security.setProperty("com.sun.security.onlyCheckRevocationOfEECert", "false");
                        }
                        if (!z5 || z4 || length <= 1 || z9 || z6 || z8) {
                            Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.off");
                        } else if (!permanentStore.contains(x509CertificateArr[0])) {
                            try {
                                if (doOCSPEEValidation(x509CertificateArr[0], x509CertificateArr[1], linkedHashSet, pKIXParameters.getDate()) != OCSP.RevocationStatus.CertStatus.GOOD) {
                                    Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.bad");
                                    throw new CertificateException(ResourceManager.getMessage("trustdecider.check.ocsp.ee.revoked"));
                                    break;
                                }
                                Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.good");
                            } catch (IOException e9) {
                                Trace.msgSecurityPrintln(e9.getMessage());
                            } catch (CertPathValidatorException e10) {
                                Trace.msgSecurityPrintln(e10.getMessage());
                                throw new CertificateException(e10);
                            }
                        }
                        if (z6) {
                            linkedHashSet.remove(x509Certificate2);
                        }
                        boolean z12 = false;
                        if (deniedStore.contains(x509CertificateArr[0])) {
                            deniedURL.add(location);
                            z12 = deniedStore.contains(x509CertificateArr[0], true) ? true : z7;
                        }
                        if (!z12) {
                            if (permanentStore.contains(x509CertificateArr[0]) && (!z7 || !permanentStore.contains(x509CertificateArr[0], true))) {
                                long j3 = j2;
                                if (lock) {
                                    deployLock.unlock();
                                }
                                return j3;
                            }
                            if (z9 && !permanentStore.contains(x509CertificateArr[0], true)) {
                                CertStore userCertStore = DeploySigningCertStore.getUserCertStore();
                                userCertStore.load(true);
                                if (userCertStore.add(x509CertificateArr[0], true)) {
                                    userCertStore.save();
                                }
                                Trace.msgSecurityPrintln("trustdecider.check.trustextension.add");
                                long j4 = j2;
                                if (lock) {
                                    deployLock.unlock();
                                }
                                return j4;
                            }
                            if (sessionStore.contains(x509CertificateArr[0]) && (!z7 || !sessionStore.contains(x509CertificateArr[0], true))) {
                                if (lock) {
                                    deployLock.unlock();
                                }
                                return 1L;
                            }
                            if (browserTrustedStore != null && browserTrustedStore.contains(x509CertificateArr[0])) {
                                if (lock) {
                                    deployLock.unlock();
                                }
                                return 1L;
                            }
                            if (!Config.getBooleanProperty(Config.SEC_ASKGRANT_SHOW_KEY)) {
                                throw new CertificateException(ResourceManager.getMessage("trustdecider.user.cannot.grant.any"));
                            }
                            if (lock) {
                                deployLock.unlock();
                            }
                            int showSecurityDialog = X509Util.showSecurityDialog(x509CertificateArr, codeSource.getLocation(), 0, length, z6, i6, date, appInfo, z);
                            lock = deployLock.lock();
                            if (showSecurityDialog == 0) {
                                Trace.msgSecurityPrintln("trustdecider.user.grant.session");
                                sessionStore.add(x509CertificateArr[0], !z7);
                                sessionStore.save();
                                j = 1;
                            } else if (showSecurityDialog == 2) {
                                Trace.msgSecurityPrintln("trustdecider.user.grant.forever");
                                CertStore userCertStore2 = DeploySigningCertStore.getUserCertStore();
                                userCertStore2.load(true);
                                if (userCertStore2.add(x509CertificateArr[0], !z7)) {
                                    userCertStore2.save();
                                }
                                j = j2;
                            } else {
                                Trace.msgSecurityPrintln("trustdecider.user.deny");
                                deniedStore.add(x509CertificateArr[0], !z7);
                                deniedStore.save();
                                deniedURL.add(location);
                            }
                            if (j != 0) {
                                long j5 = j;
                                if (lock) {
                                    deployLock.unlock();
                                }
                                return j5;
                            }
                        }
                        i7++;
                    }
                } else {
                    Trace.msgSecurityPrintln("trustdecider.check.validate.legacy.algorithm");
                    if (CertValidator.validate(codeSource, appInfo, certificates, i3, rootStore, browserRootStore, browserTrustedStore, sessionStore, permanentStore, deniedStore)) {
                        if (lock) {
                            deployLock.unlock();
                        }
                        return 1L;
                    }
                }
                if (!lock) {
                    return 0L;
                }
                deployLock.unlock();
                return 0L;
            } catch (Throwable th2) {
                if (0 != 0) {
                    deployLock.unlock();
                }
                throw th2;
            }
        } catch (InterruptedException e11) {
            throw new RuntimeException(e11);
        }
    }

    private static boolean checkTSAPath(CertPath certPath, LinkedHashSet linkedHashSet) {
        Trace.msgSecurityPrintln("trustdecider.check.timestamping.tsapath");
        try {
            Validator.getInstance("PKIX", "tsa server", linkedHashSet).validate((X509Certificate[]) certPath.getCertificates().toArray(new X509Certificate[0]));
            return true;
        } catch (CertificateException e) {
            Trace.msgSecurityPrintln(e.getMessage());
            return false;
        }
    }

    private static PKIXParameters doCRLValidation(PKIXParameters pKIXParameters, boolean z) throws IOException, InvalidAlgorithmParameterException, CRLException, NoSuchAlgorithmException {
        if (crl509 != null) {
            Trace.msgSecurityPrintln("trustdecider.check.validation.crl.system.on");
            System.clearProperty("com.sun.security.enableCRLDP");
            pKIXParameters.setRevocationEnabled(true);
            pKIXParameters.addCertStore(java.security.cert.CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singletonList(crl509))));
        } else {
            Trace.msgSecurityPrintln("trustdecider.check.validation.crl.system.off");
            pKIXParameters.setRevocationEnabled(z);
            System.setProperty("com.sun.security.enableCRLDP", Boolean.toString(z));
        }
        return pKIXParameters;
    }

    private static void doOCSPValidation(PKIXParameters pKIXParameters, LinkedHashSet linkedHashSet, X509Certificate[] x509CertificateArr, boolean z, boolean z2) throws IOException {
        X509Certificate x509Certificate = null;
        boolean z3 = false;
        Security.setProperty("ocsp.enable", Boolean.toString(z));
        if (ocspValidConfig) {
            Security.setProperty("ocsp.responderURL", ocspURL);
        }
        pKIXParameters.setRevocationEnabled(z);
        if (ocspValidConfig) {
            Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.system.on");
            Iterator it = linkedHashSet.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                x509Certificate = (X509Certificate) it.next();
                if (ocspSigner.equals(CertUtils.extractSubjectAliasName(x509Certificate))) {
                    z3 = true;
                    break;
                }
            }
            if (z3 && x509Certificate != null) {
                Security.setProperty("ocsp.responderCertSubjectName", x509Certificate.getSubjectX500Principal().getName());
            }
        } else {
            Trace.msgSecurityPrintln("trustdecider.check.validation.ocsp.system.off");
        }
        if (z2 || !z) {
            return;
        }
        System.setProperty("com.sun.security.enableCRLDP", "true");
    }

    private static OCSP.RevocationStatus.CertStatus doOCSPEEValidation(X509Certificate x509Certificate, X509Certificate x509Certificate2, LinkedHashSet linkedHashSet, Date date) throws IOException, CertPathValidatorException {
        URI uri;
        Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.start");
        X509Certificate x509Certificate3 = x509Certificate2;
        if (ocspValidConfig) {
            try {
                uri = new URI(ocspURL);
                Iterator it = linkedHashSet.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    X509Certificate x509Certificate4 = (X509Certificate) it.next();
                    if (ocspSigner.equals(CertUtils.extractSubjectAliasName(x509Certificate4))) {
                        x509Certificate3 = x509Certificate4;
                        break;
                    }
                }
            } catch (URISyntaxException e) {
                Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.responderURI.no");
                return OCSP.RevocationStatus.CertStatus.GOOD;
            }
        } else {
            uri = OCSP.getResponderURI(x509Certificate);
        }
        if (uri == null) {
            Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.responderURI.no");
            return OCSP.RevocationStatus.CertStatus.GOOD;
        }
        Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.responderURI.value", new Object[]{uri.toString()});
        OCSP.RevocationStatus.CertStatus certStatus = OCSP.check(x509Certificate, x509Certificate2, uri, x509Certificate3, date).getCertStatus();
        Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.return.status", new Object[]{certStatus.name()});
        return certStatus;
    }

    private static boolean checkTrustedExtension(X509Certificate x509Certificate) {
        Trace.msgSecurityPrintln("trustdecider.check.trustextension.jurisdiction");
        String name = x509Certificate.getSubjectX500Principal().getName();
        Iterator it = jurisdictionList.iterator();
        while (it.hasNext()) {
            if (name.endsWith((String) it.next())) {
                Trace.msgSecurityPrintln("trustdecider.check.trustextension.jurisdiction.found");
                return true;
            }
        }
        return false;
    }

    private static boolean isReplacedCA(HashMap hashMap, X509Certificate x509Certificate) {
        Trace.msgSecurityPrintln("trustdecider.check.replacedCA.start");
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        x509Certificate.getSubjectX500Principal();
        if (hashMap.containsKey(issuerX500Principal) && isSignatureValid((X509Certificate) hashMap.get(issuerX500Principal), x509Certificate)) {
            Trace.msgSecurityPrintln("trustdecider.check.replacedCA.succeed");
            return true;
        }
        Trace.msgSecurityPrintln("trustdecider.check.replacedCA.failed");
        return false;
    }

    private static boolean isSignatureValid(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            x509Certificate2.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    static {
        deployLock = null;
        deployLock = new DeployLock();
        reset();
    }
}
