package cn.com.infosec.netsign.base.util;

import cn.com.infosec.asn1.x509.X509Extensions;
import cn.com.infosec.netcert.ocsp.client.OcspClient;
import cn.com.infosec.netcert.ocsp.client.OcspClientProperties;
import cn.com.infosec.netcert.ocsp.client.OcspPropertyException;
import cn.com.infosec.netcert.ocsp.client.OcspResponderInfo;
import cn.com.infosec.netsign.base.CRLUpdater;
import cn.com.infosec.netsign.base.NetSignCertPath;
import cn.com.infosec.netsign.base.NetSignX509CRL;
import cn.com.infosec.netsign.base.channels.ChannelException;
import cn.com.infosec.netsign.crypto.util.CryptoUtil;
import cn.com.infosec.netsign.frame.config.CRLConfig;
import cn.com.infosec.netsign.frame.config.ConfigManager;
import cn.com.infosec.netsign.frame.config.ExtendedConfig;
import cn.com.infosec.netsign.frame.config.OCSPConfig;
import cn.com.infosec.netsign.frame.config.TrustField;
import cn.com.infosec.netsign.frame.util.ByteArray;
import cn.com.infosec.netsign.logger.ConsoleLogger;
import cn.com.infosec.netsign.manager.SignatureCache;
import cn.com.infosec.netsign.resources.rawcert.PBCRAWCert;
import cn.com.infosec.oscca.sm2.SM2Certificate;
import cn.com.infosec.oscca.sm2.SM2PublicKey;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.Serializable;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:cn/com/infosec/netsign/base/util/TrustConfig.class */
public class TrustConfig implements Serializable {
    private String name;
    private String rootCertDN;
    private TrustOCSPConfig ocsp;
    private TrustCrlConfig crl;
    private OcspClient client;
    public static final String CRL_LOAD_MODE_ALL = "all";
    public static final String CRL_LOAD_MODE_REALTIME = "realtime";
    private static final int VERIFY_CRL_OK = 0;
    private static final int VERIFY_CRL_REVOKED = 1;
    private static final int VERIFY_CRL_NO_CRL_FILE = 2;
    private static final int VERIFY_CRL_CRL_FILE_EXPIRED = 3;
    private CRLUpdater updater = null;
    private List rootCertList = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:cn/com/infosec/netsign/base/util/TrustConfig$TrustCrlConfig.class */
    public class TrustCrlConfig implements Serializable {
        private boolean enabled;
        private Map crlMap = new HashMap();
        private String crlPath;
        private boolean dpFlag;
        private int interval;
        private String onNoCrldp;
        private boolean checkValidity;
        final TrustConfig this$0;

        public boolean isCheckValidity() {
            return this.checkValidity;
        }

        public void setCheckValidity(boolean z) {
            this.checkValidity = z;
        }

        public String getOnNoCrldp() {
            return this.onNoCrldp;
        }

        public void setOnNoCrldp(String str) {
            this.onNoCrldp = str;
        }

        TrustCrlConfig(TrustConfig trustConfig, CRLConfig cRLConfig) {
            this.this$0 = trustConfig;
            this.crlPath = cRLConfig.getCrlDir();
            this.interval = cRLConfig.getCrlDownloadInterval();
            this.dpFlag = cRLConfig.isUseCrldp();
            this.onNoCrldp = cRLConfig.getOnNoCrldp();
            this.checkValidity = cRLConfig.getCheckValidity();
        }

        public boolean isEnabled() {
            return this.enabled;
        }

        public Map getCrlList() {
            return this.crlMap;
        }

        public void setCrlList(Map map) {
            this.crlMap = map;
        }

        public String getCrlPath() {
            return this.crlPath;
        }

        public boolean getDPFlag() {
            return this.dpFlag;
        }

        public int getInterval() {
            return this.interval;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:cn/com/infosec/netsign/base/util/TrustConfig$TrustOCSPConfig.class */
    public class TrustOCSPConfig implements Serializable {
        private String ip;
        private int port;
        private X509Certificate ocspCert;
        final TrustConfig this$0;

        TrustOCSPConfig(TrustConfig trustConfig, OCSPConfig oCSPConfig) throws ChannelException {
            this.this$0 = trustConfig;
            this.ip = oCSPConfig.getIp();
            this.port = oCSPConfig.getPort();
            try {
                this.ocspCert = (X509Certificate) CertificateFactory.getInstance("X.509", NetSignImpl.PROVIDER_INFOSEC).generateCertificate(new FileInputStream(new StringBuffer("cert/ocspcert/").append(oCSPConfig.getOcspCert()).toString()));
            } catch (Exception e) {
                throw new ChannelException(e);
            }
        }

        public String getIP() {
            return this.ip;
        }

        public int getPort() {
            return this.port;
        }

        public X509Certificate getOCSPCert() {
            return this.ocspCert;
        }
    }

    public TrustConfig(TrustField trustField) throws ChannelException {
        this.client = null;
        this.name = trustField.getName();
        String path = ConfigManager.getTrustConfig().getPath();
        ArrayList certs = trustField.getCerts();
        if (certs == null || certs.size() == 0) {
            throw new ChannelException(new StringBuffer("No root cert found in TrustField: ").append(trustField.getName()).toString());
        }
        int size = certs.size();
        for (int i = 0; i < size; i++) {
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", NetSignImpl.PROVIDER_INFOSEC).generateCertificate(new FileInputStream(new StringBuffer(String.valueOf(path)).append(certs.get(i)).toString()));
                this.rootCertList.add(Utils.getCertType(x509Certificate) == 1 ? new SM2Certificate(x509Certificate, x509Certificate.getEncoded(), x509Certificate.getTBSCertificate()) : x509Certificate);
            } catch (Exception e) {
                throw new ChannelException(e);
            }
        }
        this.rootCertDN = ((X509Certificate) this.rootCertList.get(0)).getSubjectDN().toString();
        System.out.println(new StringBuffer("DN of trust field: ").append(this.rootCertDN).toString());
        if (trustField.getOcspConfig() != null) {
            this.ocsp = new TrustOCSPConfig(this, trustField.getOcspConfig());
            try {
                OcspResponderInfo ocspResponderInfo = new OcspResponderInfo((X509Certificate) this.rootCertList.get(0), this.ocsp.getOCSPCert(), this.ocsp.getIP(), this.ocsp.getPort());
                OcspClientProperties ocspClientProperties = new OcspClientProperties();
                ocspClientProperties.addResponderInfo(ocspResponderInfo);
                this.client = new OcspClient(ocspClientProperties);
                this.client.setCertIssuer((X509Certificate) this.rootCertList.get(0));
            } catch (OcspPropertyException e2) {
                throw new ChannelException((Throwable) e2);
            }
        }
        if (trustField.getCrlConfig() != null) {
            this.crl = new TrustCrlConfig(this, trustField.getCrlConfig());
        }
    }

    public void setCRLUpdater(CRLUpdater cRLUpdater) {
        this.updater = cRLUpdater;
    }

    public Map getCRLList() {
        if (this.crl != null) {
            return this.crl.getCrlList();
        }
        return null;
    }

    public String getCRLPath() {
        if (this.crl != null) {
            return this.crl.getCrlPath();
        }
        return null;
    }

    public int getCRLUpdateInterval() {
        return this.crl.getInterval();
    }

    public boolean useCRLDP() {
        return this.crl.dpFlag;
    }

    public boolean isCrlEnabled() {
        return this.crl != null;
    }

    public boolean isOCSPEnabled() {
        return this.ocsp != null;
    }

    public String getName() {
        return this.name;
    }

    public String getRootCertDN() {
        return this.rootCertDN;
    }

    public List getRootCertList() {
        return this.rootCertList;
    }

    public TrustOCSPConfig getOCSP() {
        return this.ocsp;
    }

    public TrustCrlConfig getCrl() {
        return this.crl;
    }

    private boolean verifyallcrls(X509Certificate x509Certificate, Map map) {
        boolean z = false;
        if (map == null) {
            return false;
        }
        Collection values = map.values();
        if (values == null || values.size() == 0) {
            return false;
        }
        Object[] array = values.toArray();
        int i = 0;
        while (true) {
            if (i >= array.length) {
                break;
            }
            if (((NetSignX509CRL) array[i]).isRevoked(x509Certificate)) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }

    private boolean checkCertValidity(long j, long j2) {
        if (!ExtendedConfig.isCheckCertValidity()) {
            return true;
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        return j <= currentTimeMillis && j2 >= currentTimeMillis;
    }

    public void VerifyCert(X509Certificate x509Certificate, byte[] bArr, boolean z, String str, long j, long j2) throws CertTrustException, CertValidateException {
        SM2PublicKey publicKey;
        if (z && !checkCertValidity(j, j2)) {
            throw new CertValidateException(new StringBuffer("From:").append(x509Certificate.getNotBefore()).append(" To:").append(x509Certificate.getNotAfter()).toString());
        }
        if (bArr == null) {
            try {
                bArr = x509Certificate.getTBSCertificate();
            } catch (Exception e) {
                throw new CertTrustException(e);
            }
        }
        ByteArray byteArray = new ByteArray(MessageDigest.getInstance(NetSignImpl.SHA1, NetSignImpl.PROVIDER_INFOSEC).digest(bArr));
        if (SignatureCache.isSignatureCached(byteArray) || (publicKey = ((X509Certificate) this.rootCertList.get(0)).getPublicKey()) == null) {
            return;
        }
        try {
            String sigAlgOID = x509Certificate.getSigAlgOID();
            if (publicKey instanceof SM2PublicKey) {
                NetSignImpl.verifyCert(sigAlgOID, x509Certificate.getTBSCertificate(), x509Certificate.getSignature(), publicKey, Utils.getOSCCApucID(1, null));
            } else {
                NetSignImpl.verifyCert(sigAlgOID, bArr, x509Certificate.getSignature(), (PublicKey) publicKey, str);
            }
            SignatureCache.registerSignature(byteArray, true);
        } catch (Exception e2) {
            ConsoleLogger.logString("next is exception..");
            ConsoleLogger.logException(e2);
            throw new CertTrustException(e2);
        }
    }

    public void VerifyCert(X509Certificate x509Certificate, byte[] bArr, NetSignCertPath netSignCertPath, boolean z, String str) throws CertTrustException, CertValidateException {
        if (z) {
            try {
                x509Certificate.checkValidity();
            } catch (Exception e) {
                throw new CertValidateException(new StringBuffer("From:").append(x509Certificate.getNotBefore()).append(" To:").append(x509Certificate.getNotAfter()).toString());
            }
        }
        String sigAlgName = x509Certificate.getSigAlgName();
        if (sigAlgName.toUpperCase().split("WITH")[0].equals("RSA")) {
            if (bArr == null) {
                try {
                    bArr = x509Certificate.getTBSCertificate();
                } catch (Exception e2) {
                    throw new CertTrustException(e2);
                }
            }
            ByteArray byteArray = new ByteArray(MessageDigest.getInstance(NetSignImpl.SHA1, NetSignImpl.PROVIDER_INFOSEC).digest(bArr));
            if (SignatureCache.isSignatureCached(byteArray)) {
                return;
            }
            SM2PublicKey publicKey = ((X509Certificate) this.rootCertList.get(0)).getPublicKey();
            if (netSignCertPath.size() != 1) {
                netSignCertPath.verify(publicKey, z);
                SignatureCache.registerSignature(byteArray, true);
            } else if (publicKey != null) {
                try {
                    if (publicKey instanceof SM2PublicKey) {
                        NetSignImpl.verifyCert(sigAlgName, x509Certificate.getTBSCertificate(), x509Certificate.getSignature(), publicKey, Utils.getOSCCApucID(1, null));
                    } else {
                        NetSignImpl.verifyCert(sigAlgName, bArr, x509Certificate.getSignature(), (PublicKey) publicKey, str);
                    }
                    SignatureCache.registerSignature(byteArray, true);
                } catch (Exception e3) {
                    throw new CertTrustException(e3);
                }
            }
        }
    }

    public int VerifyCRL(X509Certificate x509Certificate) {
        ArrayList arrayList = null;
        if (!this.crl.getDPFlag()) {
            return verifyallcrls(x509Certificate, this.crl.getCrlList()) ? 1 : 0;
        }
        try {
            arrayList = CryptoUtil.getcrldp(x509Certificate.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()));
        } catch (IOException e) {
        }
        if (arrayList == null || arrayList.size() == 0) {
            return verifyallcrls(x509Certificate, this.crl.getCrlList()) ? 1 : 0;
        }
        int i = 0;
        int i2 = 0;
        int size = arrayList.size();
        while (true) {
            if (i2 >= size) {
                break;
            }
            NetSignX509CRL crl = this.updater.getCRL(new StringBuffer(String.valueOf(arrayList.get(i2).toString())).append(".crl").toString());
            if (crl != null) {
                if (this.crl.checkValidity && !crl.checkValidity()) {
                    i = 3;
                    break;
                }
                if (crl.isRevoked(x509Certificate)) {
                    i = 1;
                    break;
                }
                i2++;
            } else {
                if (this.crl.onNoCrldp.equals("no-pass")) {
                    i = 2;
                    break;
                }
                i2++;
            }
        }
        return i;
    }

    public void VerifyOCSP(X509Certificate x509Certificate) throws VerifyOCSPException, CertRevokedException {
        try {
            new OcspClientProperties().addResponderInfo(new OcspResponderInfo((X509Certificate) this.rootCertList.get(0), this.ocsp.getOCSPCert(), this.ocsp.getIP(), this.ocsp.getPort()));
            int certStatus = this.client.getCertStatus(x509Certificate);
            if (certStatus == 1) {
                throw new CertRevokedException("The SignCert Has Been Revoked");
            }
            if (certStatus == 2) {
                throw new VerifyOCSPException(OcspClient.getStatusDesp(certStatus));
            }
        } catch (Exception e) {
            throw new VerifyOCSPException(e);
        }
    }

    public void VerifyCert(PBCRAWCert pBCRAWCert, String str) throws CertTrustException, CertValidateException {
        String sigAlgName = pBCRAWCert.getCert().getSigAlgName();
        ByteArray byteArray = new ByteArray(pBCRAWCert.getDigest());
        if (SignatureCache.isSignatureCached(byteArray)) {
            return;
        }
        SM2PublicKey publicKey = ((X509Certificate) this.rootCertList.get(0)).getPublicKey();
        if (publicKey == null) {
            throw new CertTrustException("PublicKey of root certificate not found");
        }
        try {
            if (publicKey instanceof SM2PublicKey) {
                NetSignImpl.verifyCert(sigAlgName, pBCRAWCert.getCert().getTBSCertificate(), pBCRAWCert.getCert().getSignature(), publicKey, Utils.getOSCCApucID(1, null));
            } else {
                NetSignImpl.verifyCert(sigAlgName, pBCRAWCert.getCert().getTBSCertificate(), pBCRAWCert.getCert().getSignature(), (PublicKey) publicKey, str);
            }
            SignatureCache.registerSignature(byteArray, true);
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new CertTrustException(e);
        }
    }
}
