package net.sourceforge.jnlp.tools;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.CodeSigner;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import java.util.jar.JarEntry;
import java.util.regex.Pattern;
import net.sourceforge.jnlp.JARDesc;
import net.sourceforge.jnlp.JNLPFile;
import net.sourceforge.jnlp.LaunchException;
import net.sourceforge.jnlp.cache.ResourceTracker;
import net.sourceforge.jnlp.runtime.JNLPClassLoader;
import net.sourceforge.jnlp.security.AppVerifier;
import net.sourceforge.jnlp.security.CertVerifier;
import net.sourceforge.jnlp.security.CertificateUtils;
import net.sourceforge.jnlp.security.KeyStores;
import net.sourceforge.jnlp.util.JarFile;
import net.sourceforge.jnlp.util.logging.OutputController;
import org.ccil.cowan.tagsoup.HTMLModels;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.x509.NetscapeCertTypeExtension;

/* loaded from: input_file:net/sourceforge/jnlp/tools/JarCertVerifier.class */
public class JarCertVerifier implements CertVerifier {
    private static final String META_INF = "META-INF/";
    private static final Pattern SIG = Pattern.compile(".*META-INF/SIG-.*");
    private static final String SIG_PREFIX = "META-INF/SIG-";
    private static final long SIX_MONTHS = 15552000000L;
    private CertPath currentlyUsed;
    private final AppVerifier appVerifier;
    private final List<String> verifiedJars = new ArrayList();
    private final List<String> unverifiedJars = new ArrayList();
    private final Map<CertPath, CertInformation> certs = new HashMap();
    private final Map<String, Integer> jarSignableEntries = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/sourceforge/jnlp/tools/JarCertVerifier$VerifyResult.class */
    public enum VerifyResult {
        UNSIGNED,
        SIGNED_OK,
        SIGNED_NOT_OK
    }

    public JarCertVerifier(AppVerifier appVerifier) {
        this.appVerifier = appVerifier;
    }

    public boolean isTriviallySigned() {
        return getTotalJarEntries(this.jarSignableEntries) <= 0 && this.certs.size() <= 0;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean getAlreadyTrustPublisher() {
        boolean hasAlreadyTrustedPublisher = this.appVerifier.hasAlreadyTrustedPublisher(this.certs, this.jarSignableEntries);
        OutputController.getLogger().log("App already has trusted publisher: " + hasAlreadyTrustedPublisher);
        return hasAlreadyTrustedPublisher;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean getRootInCacerts() {
        boolean hasRootInCacerts = this.appVerifier.hasRootInCacerts(this.certs, this.jarSignableEntries);
        OutputController.getLogger().log("App has trusted root CA: " + hasRootInCacerts);
        return hasRootInCacerts;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public CertPath getCertPath(CertPath certPath) {
        return this.currentlyUsed;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean hasSigningIssues(CertPath certPath) {
        return this.certs.get(certPath).hasSigningIssues();
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public List<String> getDetails(CertPath certPath) {
        if (certPath != null) {
            this.currentlyUsed = certPath;
        }
        return this.certs.get(this.currentlyUsed).getDetailsAsStrings();
    }

    public List<CertPath> getCertsList() {
        return new ArrayList(this.certs.keySet());
    }

    public CertInformation getCertInformation(CertPath certPath) {
        return this.certs.get(certPath);
    }

    public boolean isFullySigned() {
        if (isTriviallySigned()) {
            return true;
        }
        boolean isFullySigned = this.appVerifier.isFullySigned(this.certs, this.jarSignableEntries);
        OutputController.getLogger().log("App already has trusted publisher: " + isFullySigned);
        return isFullySigned;
    }

    public static boolean isJarSigned(JARDesc jARDesc, AppVerifier appVerifier, ResourceTracker resourceTracker) throws Exception {
        JarCertVerifier jarCertVerifier = new JarCertVerifier(appVerifier);
        ArrayList arrayList = new ArrayList();
        arrayList.add(jARDesc);
        jarCertVerifier.add(arrayList, resourceTracker);
        return jarCertVerifier.allJarsSigned();
    }

    public void add(List<JARDesc> list, ResourceTracker resourceTracker) throws Exception {
        verifyJars(list, resourceTracker);
    }

    private void verifyJars(List<JARDesc> list, ResourceTracker resourceTracker) throws Exception {
        Iterator<JARDesc> it = list.iterator();
        while (it.hasNext()) {
            try {
                File cacheFile = resourceTracker.getCacheFile(it.next().getLocation());
                if (cacheFile != null) {
                    String absolutePath = cacheFile.getAbsolutePath();
                    if (!this.verifiedJars.contains(absolutePath) && !this.unverifiedJars.contains(absolutePath)) {
                        VerifyResult verifyJar = verifyJar(absolutePath);
                        if (verifyJar == VerifyResult.UNSIGNED) {
                            this.unverifiedJars.add(absolutePath);
                        } else if (verifyJar == VerifyResult.SIGNED_NOT_OK) {
                            this.verifiedJars.add(absolutePath);
                        } else if (verifyJar == VerifyResult.SIGNED_OK) {
                            this.verifiedJars.add(absolutePath);
                        }
                    }
                }
            } catch (Exception e) {
                throw e;
            }
        }
        Iterator<CertPath> it2 = this.certs.keySet().iterator();
        while (it2.hasNext()) {
            checkTrustedCerts(it2.next());
        }
    }

    /* JADX WARN: Failed to calculate best type for var: r7v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r7v1 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r8v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r8v0 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 7, insn: 0x00b8: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r7 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:48:0x00b8 */
    /* JADX WARN: Not initialized variable reg: 8, insn: 0x00bc: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r8 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:50:0x00bc */
    /* JADX WARN: Type inference failed for: r7v1, types: [net.sourceforge.jnlp.util.JarFile] */
    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable] */
    private VerifyResult verifyJar(String str) throws Exception {
        try {
            try {
                JarFile jarFile = new JarFile(str, true);
                Throwable th = null;
                Vector<JarEntry> vector = new Vector<>();
                byte[] bArr = new byte[HTMLModels.M_LEGEND];
                Enumeration<JarEntry> entries = jarFile.entries();
                while (entries.hasMoreElements()) {
                    JarEntry nextElement = entries.nextElement();
                    vector.addElement(nextElement);
                    InputStream inputStream = jarFile.getInputStream(nextElement);
                    do {
                        try {
                        } catch (Throwable th2) {
                            if (inputStream != null) {
                                inputStream.close();
                            }
                            throw th2;
                        }
                    } while (inputStream.read(bArr, 0, bArr.length) != -1);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                }
                VerifyResult verifyJarEntryCerts = verifyJarEntryCerts(str, jarFile.getManifest() != null, vector);
                if (jarFile != null) {
                    if (0 != 0) {
                        try {
                            jarFile.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        jarFile.close();
                    }
                }
                return verifyJarEntryCerts;
            } finally {
            }
        } catch (Exception e) {
            OutputController.getLogger().log(OutputController.Level.ERROR_ALL, (Throwable) e);
            throw e;
        }
    }

    VerifyResult verifyJarEntryCerts(String str, boolean z, Vector<JarEntry> vector) throws Exception {
        HashMap hashMap = new HashMap();
        int i = 0;
        long currentTimeMillis = System.currentTimeMillis();
        if (z) {
            Iterator<JarEntry> it = vector.iterator();
            while (it.hasNext()) {
                JarEntry next = it.next();
                String name = next.getName();
                CodeSigner[] codeSigners = next.getCodeSigners();
                boolean z2 = codeSigners != null;
                boolean z3 = (next.isDirectory() || isMetaInfFile(name)) ? false : true;
                if (z3) {
                    i++;
                }
                if (z3 && z2) {
                    for (CodeSigner codeSigner : codeSigners) {
                        CertPath signerCertPath = codeSigner.getSignerCertPath();
                        if (hashMap.containsKey(signerCertPath)) {
                            hashMap.put(signerCertPath, Integer.valueOf(((Integer) hashMap.get(signerCertPath)).intValue() + 1));
                        } else {
                            hashMap.put(signerCertPath, 1);
                        }
                    }
                }
            }
        } else {
            i = 0 + 1;
        }
        this.jarSignableEntries.put(str, Integer.valueOf(i));
        boolean z4 = false;
        for (CertPath certPath : hashMap.keySet()) {
            if (((Integer) hashMap.get(certPath)).intValue() == i) {
                z4 = true;
                boolean containsKey = this.certs.containsKey(certPath);
                if (!containsKey) {
                    this.certs.put(certPath, new CertInformation());
                }
                CertInformation certInformation = this.certs.get(certPath);
                if (containsKey) {
                    certInformation.resetForReverification();
                }
                certInformation.setNumJarEntriesSigned(str, i);
                Certificate certificate = certPath.getCertificates().get(0);
                if (certificate instanceof X509Certificate) {
                    checkCertUsage(certPath, (X509Certificate) certificate, null);
                    long time = ((X509Certificate) certificate).getNotBefore().getTime();
                    long time2 = ((X509Certificate) certificate).getNotAfter().getTime();
                    if (currentTimeMillis < time) {
                        certInformation.setNotYetValidCert();
                    }
                    if (time2 < currentTimeMillis) {
                        certInformation.setHasExpiredCert();
                    } else if (time2 < currentTimeMillis + SIX_MONTHS) {
                        certInformation.setHasExpiringCert();
                    }
                }
            }
        }
        VerifyResult verifyResult = null;
        if (i == 0) {
            verifyResult = VerifyResult.SIGNED_OK;
        } else if (z4) {
            Iterator it2 = hashMap.keySet().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                CertPath certPath2 = (CertPath) it2.next();
                if (this.certs.containsKey(certPath2) && !hasSigningIssues(certPath2)) {
                    verifyResult = VerifyResult.SIGNED_OK;
                    break;
                }
            }
            if (verifyResult == null) {
                verifyResult = VerifyResult.SIGNED_NOT_OK;
            }
        } else {
            verifyResult = VerifyResult.UNSIGNED;
        }
        OutputController.getLogger().log("Jar found at " + str + "has been verified as " + verifyResult);
        return verifyResult;
    }

    private void checkTrustedCerts(CertPath certPath) throws Exception {
        CertInformation certInformation = this.certs.get(certPath);
        try {
            if (CertificateUtils.inKeyStores((X509Certificate) getPublisher(certPath), KeyStores.getCertKeyStores())) {
                certInformation.setAlreadyTrustPublisher();
            }
            KeyStore[] cAKeyStores = KeyStores.getCAKeyStores();
            Iterator<? extends Certificate> it = certPath.getCertificates().iterator();
            while (it.hasNext()) {
                if (CertificateUtils.inKeyStores((X509Certificate) it.next(), cAKeyStores)) {
                    certInformation.setRootInCacerts();
                    return;
                }
            }
            certInformation.setUntrusted();
        } catch (Exception e) {
            OutputController.getLogger().log("WARNING: Unable to read through cert store files.");
            throw e;
        }
    }

    public void setCurrentlyUsedCertPath(CertPath certPath) {
        this.currentlyUsed = certPath;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public Certificate getPublisher(CertPath certPath) {
        if (certPath != null) {
            this.currentlyUsed = certPath;
        }
        if (this.currentlyUsed == null) {
            return null;
        }
        List<? extends Certificate> certificates = this.currentlyUsed.getCertificates();
        if (certificates.size() > 0) {
            return certificates.get(0);
        }
        return null;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public Certificate getRoot(CertPath certPath) {
        if (certPath != null) {
            this.currentlyUsed = certPath;
        }
        if (this.currentlyUsed == null) {
            return null;
        }
        List<? extends Certificate> certificates = this.currentlyUsed.getCertificates();
        if (certificates.size() > 0) {
            return certificates.get(certificates.size() - 1);
        }
        return null;
    }

    static boolean isMetaInfFile(String str) {
        return !str.endsWith("class") && str.startsWith(META_INF) && (str.endsWith(".MF") || str.endsWith(".SF") || str.endsWith(".DSA") || str.endsWith(".RSA") || SIG.matcher(str).matches());
    }

    void checkCertUsage(CertPath certPath, X509Certificate x509Certificate, boolean[] zArr) {
        if (zArr != null) {
            zArr[2] = false;
            zArr[1] = false;
            zArr[0] = false;
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 1 || !keyUsage[0])) {
            if (zArr != null) {
                zArr[0] = true;
            } else {
                this.certs.get(certPath).setBadKeyUsage();
            }
        }
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null && !extendedKeyUsage.contains("2.5.29.37.0") && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {
                if (zArr != null) {
                    zArr[1] = true;
                } else {
                    this.certs.get(certPath).setBadExtendedKeyUsage();
                }
            }
        } catch (CertificateParsingException e) {
        }
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue("2.16.840.1.113730.1.1");
            if (extensionValue != null && !new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get("object_signing").booleanValue()) {
                if (zArr != null) {
                    zArr[2] = true;
                } else {
                    this.certs.get(certPath).setBadNetscapeCertType();
                }
            }
        } catch (IOException e2) {
        }
    }

    public boolean allJarsSigned() {
        return this.unverifiedJars.isEmpty();
    }

    public void checkTrustWithUser(JNLPClassLoader.SecurityDelegate securityDelegate, JNLPFile jNLPFile) throws LaunchException {
        this.appVerifier.checkTrustWithUser(securityDelegate, this, jNLPFile);
    }

    public Map<String, Integer> getJarSignableEntries() {
        return Collections.unmodifiableMap(this.jarSignableEntries);
    }

    public static int getTotalJarEntries(Map<String, Integer> map) {
        int i = 0;
        Iterator<Integer> it = map.values().iterator();
        while (it.hasNext()) {
            i += it.next().intValue();
        }
        return i;
    }
}
