package com.jrockit.mc.rcp.application.p2;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.CodeSigner;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:com/jrockit/mc/rcp/application/p2/SignerValidator.class */
public final class SignerValidator {
    private static final String ID_CE_keyUsage = "2.5.29.15";
    private static final String ID_CE_extKeyUsage = "2.5.29.37";
    private static final String ID_KP_codeSigning = "1.3.6.1.5.5.7.3.3";
    private static final String ID_KP_timeStamping = "1.3.6.1.5.5.7.3.8";
    private static final File CACERTS_PATH = createCACertsPath();
    private final KeyStore keyStore;
    private final CertPathValidator chainValidator;
    private final X509CertSelector usSelector;

    public static SignerValidator getValidator() {
        return new SignerValidator();
    }

    private static File createCACertsPath() {
        String property = System.getProperty("com.oracle.jmc.p2.trustStore");
        if (property == null) {
            String str = File.separator;
            property = String.valueOf(System.getProperty("java.home")) + str + "lib" + str + "security" + str + "cacerts";
        }
        return new File(property);
    }

    public SignerValidator() {
        Throwable th = null;
        try {
            try {
                FileInputStream fileInputStream = new FileInputStream(CACERTS_PATH);
                try {
                    this.chainValidator = CertPathValidator.getInstance("PKIX");
                    this.keyStore = KeyStore.getInstance("JKS");
                    this.keyStore.load(fileInputStream, null);
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                    try {
                        this.usSelector = new X509CertSelector();
                        this.usSelector.setKeyUsage(new boolean[]{true});
                        this.usSelector.setExtendedKeyUsage(Collections.singleton(ID_KP_codeSigning));
                        this.usSelector.setSubject(new byte[]{48, -127, -106, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 19, 10, 67, 97, 108, 105, 102, 111, 114, 110, 105, 97, 49, 21, 48, 19, 6, 3, 85, 4, 7, 19, 12, 82, 101, 100, 119, 111, 111, 100, 32, 67, 105, 116, 121, 49, 29, 48, 27, 6, 3, 85, 4, 10, 19, 20, 79, 114, 97, 99, 108, 101, 32, 65, 109, 101, 114, 105, 99, 97, 44, 32, 73, 110, 99, 46, 49, 29, 48, 27, 6, 3, 85, 4, 11, 19, 20, 83, 111, 102, 116, 119, 97, 114, 101, 32, 69, 110, 103, 105, 110, 101, 101, 114, 105, 110, 103, 49, 29, 48, 27, 6, 3, 85, 4, 3, 19, 20, 79, 114, 97, 99, 108, 101, 32, 65, 109, 101, 114, 105, 99, 97, 44, 32, 73, 110, 99, 46});
                    } catch (IOException e) {
                        throw new SecurityException(e);
                    }
                } catch (Throwable th2) {
                    if (fileInputStream != null) {
                        fileInputStream.close();
                    }
                    throw th2;
                }
            } catch (Throwable th3) {
                if (0 == 0) {
                    th = th3;
                } else if (null != th3) {
                    th.addSuppressed(th3);
                }
                throw th;
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            throw new SecurityException(e2);
        }
    }

    public void validateSigner(CodeSigner codeSigner) {
        CertPath signerCertPath = codeSigner.getSignerCertPath();
        if (!isUs(signerCertPath.getCertificates().get(0))) {
            throw new SecurityException(Messages.DISTRUSTED_SIGNER);
        }
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.keyStore, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(false);
            Timestamp timestamp = codeSigner.getTimestamp();
            if (timestamp != null) {
                Date timestamp2 = timestamp.getTimestamp();
                CertPath signerCertPath2 = timestamp.getSignerCertPath();
                if (!isTimeStamping(signerCertPath2.getCertificates().get(0))) {
                    throw new SecurityException(Messages.DISTRUSTED_SIGNER);
                }
                this.chainValidator.validate(signerCertPath2, pKIXBuilderParameters);
                pKIXBuilderParameters.setDate(timestamp2);
            }
            this.chainValidator.validate(signerCertPath, pKIXBuilderParameters);
        } catch (InvalidAlgorithmParameterException | KeyStoreException e) {
            throw new SecurityException(e);
        } catch (CertPathValidatorException e2) {
            throw new SecurityException(e2);
        }
    }

    private boolean isUs(Certificate certificate) {
        X509Certificate x509Certificate;
        boolean[] keyUsage;
        if (!(certificate instanceof X509Certificate) || !this.usSelector.match(certificate) || (keyUsage = (x509Certificate = (X509Certificate) certificate).getKeyUsage()) == null || keyUsage.length < 1 || !keyUsage[0]) {
            return false;
        }
        for (int i = 1; i < keyUsage.length; i++) {
            if (keyUsage[i]) {
                return false;
            }
        }
        return x509Certificate.getCriticalExtensionOIDs().contains(ID_CE_keyUsage) && !x509Certificate.hasUnsupportedCriticalExtension();
    }

    private boolean isTimeStamping(Certificate certificate) {
        List<String> list;
        if (!(certificate instanceof X509Certificate)) {
            return false;
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        try {
            list = x509Certificate.getExtendedKeyUsage();
        } catch (CertificateParsingException e) {
            list = null;
        }
        return (criticalExtensionOIDs == null || list == null || !criticalExtensionOIDs.contains(ID_CE_extKeyUsage) || !list.contains(ID_KP_timeStamping) || x509Certificate.hasUnsupportedCriticalExtension()) ? false : true;
    }
}
