package com.sun.deploy.security;

import com.sun.applet2.preloader.Preloader;
import com.sun.deploy.Environment;
import com.sun.deploy.cache.Cache;
import com.sun.deploy.config.Config;
import com.sun.deploy.model.LocalApplicationProperties;
import com.sun.deploy.model.ResourceProvider;
import com.sun.deploy.panel.AndOrRadioPropertyGroup;
import com.sun.deploy.resources.ResourceManager;
import com.sun.deploy.security.ruleset.DeploymentRuleSet;
import com.sun.deploy.trace.Trace;
import com.sun.deploy.trace.TraceLevel;
import com.sun.deploy.ui.AppInfo;
import com.sun.deploy.uitoolkit.ToolkitStore;
import com.sun.deploy.uitoolkit.ui.UIFactory;
import com.sun.deploy.util.SecurityBaseline;
import com.sun.deploy.util.SessionProperties;
import com.sun.deploy.util.SessionState;
import java.io.IOException;
import java.net.URL;
import java.security.CodeSource;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:com/sun/deploy/security/SandboxSecurity.class */
public class SandboxSecurity {
    private static final String EXPIRED_VERSION_KEY = "ssv.expired.allowed";
    private static final String UNTRUSTED_KEY = "ssv.untrusted.allowed";
    private static final String RUNLOCAL_KEY = "ssv.run.local.allowed";
    protected static final String FILENAME = "sandbox.properties";
    private static SessionProperties sessionProps = new SessionProperties(FILENAME);
    private static Object blockLock;
    private static String blockKey;
    private static String masthead;
    private static String runKey;
    private static String cancel;
    private static String securityInfoDescription;
    private static String securityInfoCanel;
    private static String securityInfoTrusted;
    private static String securityRisk;

    public static void resetAcceptedVersion(LocalApplicationProperties localApplicationProperties) {
        if (localApplicationProperties != null) {
            localApplicationProperties.put(EXPIRED_VERSION_KEY, null);
            localApplicationProperties.put(UNTRUSTED_KEY, null);
            localApplicationProperties.put(RUNLOCAL_KEY, null);
            try {
                localApplicationProperties.store();
            } catch (IOException e) {
                Trace.ignoredException(e);
            }
            String locString = TrustDecider.getLocString(localApplicationProperties.getLocation());
            if (locString != null) {
                sessionProps.remove(locString);
            }
        }
    }

    public static void isPermissionGranted(CodeSource codeSource, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, Preloader preloader) {
        Config.getHooks().trackUsage(appInfo, deploymentRuleSet);
        if (deploymentRuleSet.isRuleBlock()) {
            showBlockedDialog(appInfo, deploymentRuleSet.getBlockString(), "deployment.blocked.by.rule", deploymentRuleSet.getException(), codeSource);
        }
        if (codeSource == null || codeSource.getCertificates() == null) {
            checkUnsignedSandboxSecurity(appInfo, deploymentRuleSet);
            return;
        }
        try {
            DeployManifestChecker.verify(codeSource.getLocation(), false, appInfo);
        } catch (SecurityException e) {
            Trace.ignored(e);
            showBlockedDialog(appInfo, null, null, e, codeSource);
        }
        if (Config.isJavaVersionAtLeast16()) {
            checkSignedSandboxSecurity(codeSource, appInfo, deploymentRuleSet, preloader);
        } else {
            Trace.println("Jar has Certs, treating sandbox app as unsigned due to running old JRE", TraceLevel.SECURITY);
            checkUnsignedSandboxSecurity(appInfo, deploymentRuleSet);
        }
    }

    private static void checkSignedSandboxSecurity(CodeSource codeSource, AppInfo appInfo, DeploymentRuleSet deploymentRuleSet, Preloader preloader) {
        String str = null;
        try {
            TrustDecider.grabDeployLock();
            ValidationState validationState = new ValidationState();
            X509Certificate[] x509CertificateArr = null;
            Certificate[] certificates = codeSource.getCertificates();
            try {
                TrustDecider.ensureBasicStoresLoaded();
                Iterator it = TrustDecider.breakDownMultiSignerChains(certificates).iterator();
                if (it.hasNext()) {
                    x509CertificateArr = (X509Certificate[]) ((List) it.next()).toArray(new X509Certificate[0]);
                    try {
                        validationState = TrustDecider.getValidationState(x509CertificateArr, codeSource, 0, true, deploymentRuleSet.isRevocationCheckBestEffort(), false, deploymentRuleSet.isRuleRun());
                        LocalApplicationProperties localApplicationProperties = Cache.getLocalApplicationProperties(appInfo.getLapURL());
                        if (localApplicationProperties != null) {
                            localApplicationProperties.storeMainPublisherAndTitle(validationState.getPublisher(), appInfo.getDisplayTitle());
                        }
                        boolean z = validationState.rootCAValid;
                        if (validationState.trustDecision == 0) {
                            TrustDecider.notifyOnUserDeclined(preloader, codeSource.getLocation() != null ? codeSource.getLocation().toString() : null);
                            str = "deployment.user.denied";
                        } else if (z) {
                            if (deploymentRuleSet.isCaSignedNever()) {
                                str = "deployment.run.sandbox.signed.never.text";
                            }
                        } else if (SecurityBaseline.isExpired() && deploymentRuleSet.isSSVModeNever()) {
                            str = "deployment.ssv2.mode.never.text";
                        } else if (deploymentRuleSet.isSelfSignedNever()) {
                            str = "deployment.run.sandbox.selfsigned.never.text";
                        }
                        if (str == null && !validationState.timeValid && deploymentRuleSet.isExpiredBlocked()) {
                            str = "deployment.block.expired.text";
                        }
                        if (str == null && !z && isLocalApp(appInfo)) {
                            if (deploymentRuleSet.isRunLocalAppletsNever()) {
                                str = "deployment.local.applet.never.text";
                            }
                        }
                    } catch (Exception e) {
                        BadCertificateDialog.showDialog(codeSource, appInfo, e);
                        throw new SecurityException(e.getMessage(), e);
                    }
                }
                if (str != null) {
                    showBlockedDialog(appInfo, null, str, null, codeSource);
                }
                if (deploymentRuleSet.isRuleRun()) {
                    validationState.trustDecision = 1L;
                }
                if (validationState.trustDecision == 2) {
                    TrustDecider.recordSandboxAnswer(x509CertificateArr, codeSource, validationState, preloader, showSandboxDialog(codeSource.getLocation(), appInfo, x509CertificateArr, !validationState.timeValid, !validationState.rootCAValid, validationState.revStatusUnknown));
                }
            } catch (Exception e2) {
                BadCertificateDialog.showDialog(codeSource, appInfo, e2);
                throw new SecurityException(e2.getMessage(), e2);
            }
        } catch (InterruptedException e3) {
            Trace.ignored(e3);
            showBlockedDialog(appInfo, null, "deployment.run.sandbox.signed.error", e3, codeSource);
        } finally {
            TrustDecider.releaseDeployLock();
        }
    }

    private static void checkUnsignedSandboxSecurity(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        if (sessionProps.getProperty(TrustDecider.getLocString(appInfo.getLapURL())) == null && Environment.isWebJava() && !deploymentRuleSet.isRuleRun()) {
            synchronized (sessionProps) {
                if (sessionProps.getProperty(TrustDecider.getLocString(appInfo.getLapURL())) != null) {
                    return;
                }
                if (SecurityBaseline.isExpired()) {
                    checkRunExpired(appInfo, deploymentRuleSet);
                } else if (isLocalApp(appInfo)) {
                    checkRunLocal(appInfo, deploymentRuleSet);
                } else {
                    checkRunUntrusted(appInfo, deploymentRuleSet);
                }
                sessionProps.setProperty(TrustDecider.getLocString(appInfo.getLapURL()), AndOrRadioPropertyGroup.TRUE);
            }
        }
    }

    private static void checkRunUntrusted(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        if (deploymentRuleSet.isRunUntrustedNever()) {
            showBlockedDialog(appInfo, null, "deployment.run.untrusted.never.text", deploymentRuleSet.getException(), null);
        }
        showUntrustedDialog(appInfo, deploymentRuleSet);
    }

    private static void checkRunExpired(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        if (deploymentRuleSet.isSSVModeNever()) {
            showBlockedDialog(appInfo, null, "deployment.ssv2.mode.never.text", deploymentRuleSet.getException(), null);
        }
        showExpiredDialog(appInfo, deploymentRuleSet);
    }

    private static void checkRunLocal(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        if (deploymentRuleSet.isRunLocalAppletsNever()) {
            showBlockedDialog(appInfo, null, "deployment.local.applet.never.text", deploymentRuleSet.getException(), null);
        }
        if (deploymentRuleSet.isRunUntrustedNever()) {
            showBlockedDialog(appInfo, null, "deployment.run.untrusted.never.text", deploymentRuleSet.getException(), null);
        }
        showUntrustedDialog(appInfo, deploymentRuleSet);
    }

    private static boolean isLocalApp(AppInfo appInfo) {
        URL from = appInfo.getFrom();
        return from != null && from.getProtocol().equals("file");
    }

    private static LocalApplicationProperties getLap(AppInfo appInfo) {
        return Cache.getLocalApplicationProperties(appInfo.getLapURL());
    }

    public static boolean showUntrustedDialog(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        String str = appInfo.isMultiHost() ? "deployment.ssv.location.multihost" : "deployment.ssv.location";
        String str2 = null;
        String str3 = null;
        if (deploymentRuleSet.isRunUntrustedMultiClick()) {
            str2 = "deployment.ssv.multi.prompt";
            str3 = "deployment.ssv.multi.text";
        }
        String str4 = isLocalApp(appInfo) ? "deployment.ssv.localapp.main" : "deployment.ssv.untrusted.main";
        LocalApplicationProperties localApplicationProperties = ResourceProvider.get().getLocalApplicationProperties(appInfo.getLapURL(), null, true);
        if (localApplicationProperties != null) {
            localApplicationProperties.storeMainPublisherAndTitle(null, null);
        }
        int showSSV3Dialog = ToolkitStore.getUI().showSSV3Dialog(null, appInfo, 2, "deployment.ssv.title", "deployment.ssv.masthead", str4, str, "deployment.ssv.prompt", str2, str3, "deployment.ssv.run", null, "deployment.ssv.cancel", null, null);
        if (showSSV3Dialog == 2) {
            return true;
        }
        if (showSSV3Dialog == 0) {
            return false;
        }
        throw new SecurityException("User declined to run unsigned sandbox app", null);
    }

    private static boolean showExpiredDialog(AppInfo appInfo, DeploymentRuleSet deploymentRuleSet) {
        String str = isLocalApp(appInfo) ? "deployment.ssv.expired.localapp.main" : "deployment.ssv.expired.main";
        String str2 = appInfo.isMultiHost() ? "deployment.ssv.location.multihost" : "deployment.ssv.location";
        String str3 = null;
        String str4 = null;
        if (deploymentRuleSet.isSSVModeMultiClick()) {
            str3 = "deployment.ssv.multi.prompt";
            str4 = "deployment.ssv.multi.text";
        }
        URL url = null;
        try {
            url = new URL("http://java.com/download");
        } catch (Exception e) {
        }
        UIFactory ui = ToolkitStore.getUI();
        ToolkitStore.getUI();
        int showSSV3Dialog = ui.showSSV3Dialog(null, appInfo, 2, "deployment.ssv.title", "deployment.ssv.masthead", str, str2, "deployment.ssv.update.prompt", str3, str4, "deployment.ssv.run", "deployment.ssv.update", "deployment.ssv.cancel", null, url);
        ToolkitStore.getUI();
        if (showSSV3Dialog == 2) {
            return true;
        }
        ToolkitStore.getUI();
        if (showSSV3Dialog == 0) {
            return false;
        }
        throw new SecurityException("User declined to run on insecure or expired JRE", null);
    }

    public static void showBlockedDialog(AppInfo appInfo, String str, String str2, Exception exc, CodeSource codeSource) {
        String str3 = null;
        String string = ResourceManager.getString("deployment.blocked.masthead");
        if (str != null) {
            str3 = str;
            string = ResourceManager.getString("deployment.blocked.ruleset.masthead");
        } else if (str2 != null) {
            str3 = ResourceManager.getString(str2);
        }
        Trace.println(str3, TraceLevel.BASIC);
        synchronized (blockLock) {
            String string2 = ResourceManager.getString("deployment.blocked.title");
            if (str3 == null) {
                str3 = ResourceManager.getString("deployment.blocked.text");
            }
            String string3 = ResourceManager.getString("common.ok_btn");
            String string4 = ResourceManager.getString("common.detail.button");
            URL lapURL = appInfo.getLapURL();
            String url = lapURL == null ? null : lapURL.toString();
            if (url == null || !url.equals(blockKey)) {
                appInfo.setVendor(null);
                ToolkitStore.getUI().showPublisherInfo(null, appInfo, string2, string, str3, string3, string4, null);
            }
            blockKey = url;
        }
        throw new BlockedException(str3, exc, codeSource, appInfo);
    }

    private static String getMessage(String str) {
        return ResourceManager.getMessage(str);
    }

    private static int showSandboxDialog(URL url, AppInfo appInfo, X509Certificate[] x509CertificateArr, boolean z, boolean z2, boolean z3) {
        ArrayList arrayList = null;
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(securityInfoDescription);
        arrayList2.add(securityInfoCanel);
        String extractSubjectAliasName = CertUtils.extractSubjectAliasName(x509CertificateArr[0]);
        if (z2) {
            arrayList = new ArrayList();
            arrayList.add(securityRisk);
            String message = getMessage("security.dialog.notverified.subject");
            arrayList2.add(getMessage("security.info.publisher.unknown").replaceAll(message, message.toUpperCase()));
            arrayList2.add(getMessage("sandbox.security.info.selfsigned.state"));
            extractSubjectAliasName = message.toUpperCase();
        } else if (z) {
            arrayList = new ArrayList();
            arrayList.add(combineMessage(securityRisk, getMessage("sandbox.security.dialog.expired.signed.label")));
            arrayList2.add(securityInfoTrusted);
            arrayList2.add(getMessage("sandbox.security.info.expired.state"));
        } else if (z3) {
            arrayList = new ArrayList();
            arrayList.add(combineMessage(securityRisk, getMessage("sandbox.security.info.selfsigned.revocation.unknown")));
            arrayList2.add(securityInfoTrusted);
            arrayList2.add(getMessage("sandbox.security.info.revocation.unsure.state"));
        } else {
            arrayList2.add(securityInfoTrusted);
            arrayList2.add(getMessage("sandbox.security.info.trusted.state"));
        }
        if (arrayList != null) {
            arrayList.addAll(arrayList2);
        }
        String message2 = arrayList == null ? getMessage("security.dialog.valid.caption") : getMessage("security.dialog.caption");
        boolean z4 = false;
        boolean z5 = false;
        if (!z2 && !z3) {
            if (!appInfo.isMultiHost()) {
                z4 = true;
            } else if (DeployManifestChecker.verifyMultiHost(url, appInfo)) {
                z4 = true;
                z5 = true;
            }
        }
        return ToolkitStore.getUI().showSandboxSecurityDialog(z5 ? AppInfo.createSingleHostAppInfo(appInfo) : appInfo, message2, masthead, extractSubjectAliasName, appInfo.getFrom(), z4, false, runKey, cancel, arrayList != null ? (String[]) arrayList.toArray(new String[arrayList.size()]) : null, arrayList == null ? (String[]) arrayList2.toArray(new String[arrayList2.size()]) : null, true, x509CertificateArr, 0, x509CertificateArr.length, z2 || z || z3, z2);
    }

    private static String combineMessage(String str, String str2) {
        return str + "\n\n" + str2;
    }

    static {
        SessionState.register(sessionProps);
        blockLock = new Object();
        blockKey = null;
        masthead = getMessage("deployment.ssv.masthead");
        runKey = "deployment.ssv.run";
        cancel = getMessage("deployment.ssv.cancel");
        securityInfoDescription = getMessage("sandbox.security.info.description");
        securityInfoCanel = getMessage("sandbox.security.info.cancel");
        securityInfoTrusted = getMessage("sandbox.security.info.trusted");
        securityRisk = getMessage("sandbox.security.info.risk");
    }
}
