package net.sourceforge.jnlp.tools;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.security.CodeSigner;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import net.sourceforge.jnlp.JARDesc;
import net.sourceforge.jnlp.cache.ResourceTracker;
import net.sourceforge.jnlp.runtime.Translator;
import net.sourceforge.jnlp.security.CertVerifier;
import net.sourceforge.jnlp.security.CertificateUtils;
import net.sourceforge.jnlp.security.KeyStores;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.util.SignatureFileVerifier;
import sun.security.x509.NetscapeCertTypeExtension;

/* loaded from: input_file:net/sourceforge/jnlp/tools/JarSigner.class */
public class JarSigner implements CertVerifier {
    private static final String META_INF = "META-INF/";
    private static final String SIG_PREFIX = "META-INF/SIG-";
    private static final long SIX_MONTHS = 15552000000L;
    X509Certificate[] certChain;
    boolean verbose = false;
    boolean showcerts = false;
    private boolean hasExpiredCert = false;
    private boolean hasExpiringCert = false;
    private boolean notYetValidCert = false;
    private boolean badKeyUsage = false;
    private boolean badExtendedKeyUsage = false;
    private boolean badNetscapeCertType = false;
    private boolean alreadyTrustPublisher = false;
    private boolean rootInCacerts = false;
    private CertPath certPath = null;
    private boolean noSigningIssues = true;
    private boolean anyJarsSigned = false;
    private ArrayList<String> verifiedJars = null;
    private ArrayList<String> unverifiedJars = null;
    private HashMap<CertPath, Integer> certs = new HashMap<>();
    private ArrayList<String> details = new ArrayList<>();
    private int totalSignableEntries = 0;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/sourceforge/jnlp/tools/JarSigner$verifyResult.class */
    public enum verifyResult {
        UNSIGNED,
        SIGNED_OK,
        SIGNED_NOT_OK
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean getAlreadyTrustPublisher() {
        return this.alreadyTrustPublisher;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean getRootInCacerts() {
        return this.rootInCacerts;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public CertPath getCertPath() {
        return this.certPath;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean hasSigningIssues() {
        return this.hasExpiredCert || this.notYetValidCert || this.badKeyUsage || this.badExtendedKeyUsage || this.badNetscapeCertType;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public boolean noSigningIssues() {
        return this.noSigningIssues;
    }

    public boolean anyJarsSigned() {
        return this.anyJarsSigned;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public ArrayList<String> getDetails() {
        return this.details;
    }

    public ArrayList<CertPath> getCerts() {
        return new ArrayList<>(this.certs.keySet());
    }

    public boolean isFullySignedByASingleCert() {
        Iterator<CertPath> it = this.certs.keySet().iterator();
        while (it.hasNext()) {
            if (this.certs.get(it.next()).intValue() == this.totalSignableEntries) {
                return true;
            }
        }
        return false;
    }

    public void verifyJars(List<JARDesc> list, ResourceTracker resourceTracker) throws Exception {
        this.verifiedJars = new ArrayList<>();
        this.unverifiedJars = new ArrayList<>();
        for (int i = 0; i < list.size(); i++) {
            try {
                File cacheFile = resourceTracker.getCacheFile(list.get(i).getLocation());
                if (cacheFile != null) {
                    String absolutePath = cacheFile.getAbsolutePath();
                    verifyResult verifyJar = verifyJar(absolutePath);
                    if (verifyJar == verifyResult.UNSIGNED) {
                        this.unverifiedJars.add(absolutePath);
                    } else if (verifyJar == verifyResult.SIGNED_NOT_OK) {
                        this.noSigningIssues = false;
                        this.verifiedJars.add(absolutePath);
                    } else if (verifyJar == verifyResult.SIGNED_OK) {
                        this.verifiedJars.add(absolutePath);
                    }
                }
            } catch (Exception e) {
                throw e;
            }
        }
        for (CertPath certPath : this.certs.keySet()) {
            if (this.certs.get(certPath).intValue() == this.totalSignableEntries) {
                this.certPath = certPath;
                checkTrustedCerts();
                if (this.alreadyTrustPublisher || this.rootInCacerts) {
                    return;
                }
            }
        }
    }

    /* JADX WARN: Finally extract failed */
    private verifyResult verifyJar(String str) throws Exception {
        boolean z = false;
        boolean z2 = false;
        JarFile jarFile = null;
        try {
            try {
                JarFile jarFile2 = new JarFile(str, true);
                Vector vector = new Vector();
                byte[] bArr = new byte[8192];
                Enumeration<JarEntry> entries = jarFile2.entries();
                while (entries.hasMoreElements()) {
                    JarEntry nextElement = entries.nextElement();
                    vector.addElement(nextElement);
                    InputStream inputStream = jarFile2.getInputStream(nextElement);
                    do {
                        try {
                        } catch (Throwable th) {
                            if (inputStream != null) {
                                inputStream.close();
                            }
                            throw th;
                        }
                    } while (inputStream.read(bArr, 0, bArr.length) != -1);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                }
                if (jarFile2.getManifest() != null) {
                    if (this.verbose) {
                        System.out.println();
                    }
                    Enumeration elements = vector.elements();
                    long currentTimeMillis = System.currentTimeMillis();
                    while (elements.hasMoreElements()) {
                        JarEntry jarEntry = (JarEntry) elements.nextElement();
                        String name = jarEntry.getName();
                        CodeSigner[] codeSigners = jarEntry.getCodeSigners();
                        boolean z3 = codeSigners != null;
                        z |= z3;
                        boolean z4 = (jarEntry.isDirectory() || signatureRelated(name)) ? false : true;
                        z2 |= z4 && !z3;
                        if (z4) {
                            this.totalSignableEntries++;
                        }
                        if (z4 && z3) {
                            for (int i = 0; i < codeSigners.length; i++) {
                                CertPath signerCertPath = codeSigners[i].getSignerCertPath();
                                if (this.certs.containsKey(signerCertPath)) {
                                    this.certs.put(signerCertPath, Integer.valueOf(this.certs.get(signerCertPath).intValue() + 1));
                                } else {
                                    this.certs.put(signerCertPath, 1);
                                }
                                Certificate certificate = codeSigners[i].getSignerCertPath().getCertificates().get(0);
                                if (certificate instanceof X509Certificate) {
                                    checkCertUsage((X509Certificate) certificate, null);
                                    if (!this.showcerts) {
                                        long time = ((X509Certificate) certificate).getNotBefore().getTime();
                                        long time2 = ((X509Certificate) certificate).getNotAfter().getTime();
                                        if (currentTimeMillis < time) {
                                            this.notYetValidCert = true;
                                        }
                                        if (time2 < currentTimeMillis) {
                                            this.hasExpiredCert = true;
                                        } else if (time2 < currentTimeMillis + SIX_MONTHS) {
                                            this.hasExpiringCert = true;
                                        }
                                    }
                                }
                            }
                        }
                    }
                } else {
                    this.totalSignableEntries++;
                }
                if (!z) {
                    verifyResult verifyresult = verifyResult.UNSIGNED;
                    if (jarFile2 != null) {
                        jarFile2.close();
                    }
                    return verifyresult;
                }
                this.anyJarsSigned = true;
                if (z2 || this.hasExpiredCert || this.hasExpiringCert || this.badKeyUsage || this.badExtendedKeyUsage || this.badNetscapeCertType || this.notYetValidCert) {
                    addToDetails(Translator.R("SRunWithoutRestrictions"));
                    if (this.badKeyUsage) {
                        addToDetails(Translator.R("SBadKeyUsage"));
                    }
                    if (this.badExtendedKeyUsage) {
                        addToDetails(Translator.R("SBadExtendedKeyUsage"));
                    }
                    if (this.badNetscapeCertType) {
                        addToDetails(Translator.R("SBadNetscapeCertType"));
                    }
                    if (z2) {
                        addToDetails(Translator.R("SHasUnsignedEntry"));
                    }
                    if (this.hasExpiredCert) {
                        addToDetails(Translator.R("SHasExpiredCert"));
                    }
                    if (this.hasExpiringCert) {
                        addToDetails(Translator.R("SHasExpiringCert"));
                    }
                    if (this.notYetValidCert) {
                        addToDetails(Translator.R("SNotYetValidCert"));
                    }
                }
                if (jarFile2 != null) {
                    jarFile2.close();
                }
                return (!z || z2 || this.hasExpiredCert || this.badKeyUsage || this.badExtendedKeyUsage || this.badNetscapeCertType || this.notYetValidCert) ? verifyResult.SIGNED_NOT_OK : verifyResult.SIGNED_OK;
            } catch (Exception e) {
                e.printStackTrace();
                throw e;
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                jarFile.close();
            }
            throw th2;
        }
    }

    private void checkTrustedCerts() throws Exception {
        if (this.certPath != null) {
            try {
                this.alreadyTrustPublisher = CertificateUtils.inKeyStores((X509Certificate) getPublisher(), KeyStores.getCertKeyStores());
                KeyStore[] cAKeyStores = KeyStores.getCAKeyStores();
                Iterator<? extends Certificate> it = this.certPath.getCertificates().iterator();
                while (it.hasNext()) {
                    boolean inKeyStores = CertificateUtils.inKeyStores((X509Certificate) it.next(), cAKeyStores);
                    this.rootInCacerts = inKeyStores;
                    if (inKeyStores) {
                        break;
                    }
                }
                if (this.rootInCacerts) {
                    addToDetails(Translator.R("STrustedCertificate"));
                } else {
                    addToDetails(Translator.R("SUntrustedCertificate"));
                }
            } catch (Exception e) {
                throw e;
            }
        }
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public Certificate getPublisher() {
        if (this.certPath == null) {
            return null;
        }
        List<? extends Certificate> certificates = this.certPath.getCertificates();
        if (certificates.size() > 0) {
            return certificates.get(0);
        }
        return null;
    }

    @Override // net.sourceforge.jnlp.security.CertVerifier
    public Certificate getRoot() {
        if (this.certPath == null) {
            return null;
        }
        List<? extends Certificate> certificates = this.certPath.getCertificates();
        if (certificates.size() > 0) {
            return certificates.get(certificates.size() - 1);
        }
        return null;
    }

    private void addToDetails(String str) {
        if (this.details.contains(str)) {
            return;
        }
        this.details.add(str);
    }

    private boolean signatureRelated(String str) {
        String upperCase = str.toUpperCase();
        if (upperCase.equals("META-INF/MANIFEST.MF") || upperCase.equals(META_INF)) {
            return true;
        }
        if (upperCase.startsWith(SIG_PREFIX) && upperCase.indexOf("/") == upperCase.lastIndexOf("/")) {
            return true;
        }
        return upperCase.startsWith(META_INF) && SignatureFileVerifier.isBlockOrSF(upperCase) && upperCase.indexOf("/") == upperCase.lastIndexOf("/");
    }

    void checkCertUsage(X509Certificate x509Certificate, boolean[] zArr) {
        if (zArr != null) {
            zArr[2] = false;
            zArr[1] = false;
            zArr[0] = false;
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage != null && (keyUsage.length < 1 || !keyUsage[0])) {
            if (zArr != null) {
                zArr[0] = true;
            } else {
                this.badKeyUsage = true;
            }
        }
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage != null && !extendedKeyUsage.contains("2.5.29.37.0") && !extendedKeyUsage.contains("1.3.6.1.5.5.7.3.3")) {
                if (zArr != null) {
                    zArr[1] = true;
                } else {
                    this.badExtendedKeyUsage = true;
                }
            }
        } catch (CertificateParsingException e) {
        }
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue("2.16.840.1.113730.1.1");
            if (extensionValue != null && !((Boolean) new NetscapeCertTypeExtension(new DerValue(new DerInputStream(extensionValue).getOctetString()).getUnalignedBitString().toByteArray()).get("object_signing")).booleanValue()) {
                if (zArr != null) {
                    zArr[2] = true;
                } else {
                    this.badNetscapeCertType = true;
                }
            }
        } catch (IOException e2) {
        }
    }

    public boolean allJarsSigned() {
        return this.unverifiedJars.size() == 0;
    }
}
