package cn.com.infosec.netsign.base.util;

import cn.com.infosec.asn1.DERObject;
import cn.com.infosec.bccms.BCCMSSignedDataGenerator;
import cn.com.infosec.bccms.BCCMSSignedDataParser;
import cn.com.infosec.bccms.InfosecCMSSignedData;
import cn.com.infosec.crypto.digests.SHA1Digest;
import cn.com.infosec.jce.exception.CertificateNotMatchException;
import cn.com.infosec.jce.exception.DecryptDataException;
import cn.com.infosec.jce.exception.DecryptKeyException;
import cn.com.infosec.jce.exception.EncryptDataException;
import cn.com.infosec.jce.exception.EncryptKeyException;
import cn.com.infosec.jce.exception.WriteEnvDataException;
import cn.com.infosec.jce.provider.InfosecProvider;
import cn.com.infosec.jce.provider.JCESM2PublicKey;
import cn.com.infosec.netsign.base.NetSignCertPath;
import cn.com.infosec.netsign.base.NetSignCertPathBuilder;
import cn.com.infosec.netsign.crypto.exception.CryptoException;
import cn.com.infosec.netsign.crypto.util.Base64;
import cn.com.infosec.netsign.crypto.util.CryptoUtil;
import cn.com.infosec.netsign.crypto.util.HardCryptoImpl;
import cn.com.infosec.netsign.crypto.util.PKCS7EnvelopedData;
import cn.com.infosec.netsign.crypto.util.PKCS7HardEnvelopedData;
import cn.com.infosec.netsign.crypto.util.PKCS7HardSignedData;
import cn.com.infosec.netsign.crypto.util.PKCS7SignedData;
import cn.com.infosec.netsign.exceptions.PlaintextStructureException;
import cn.com.infosec.netsign.exceptions.SignatureStructureException;
import cn.com.infosec.netsign.frame.config.ExtendedConfig;
import cn.com.infosec.netsign.frame.util.CertificateUtil;
import cn.com.infosec.netsign.logger.ConsoleLogger;
import cn.com.infosec.netsign.resources.rawcert.PBCRAWCert;
import cn.com.infosec.oscca.OID;
import cn.com.infosec.oscca.OSCCAMessageDigest;
import cn.com.infosec.oscca.SDFJNI;
import cn.com.infosec.oscca.sm2.SM2Certificate;
import cn.com.infosec.oscca.sm2.SM2Gear;
import cn.com.infosec.oscca.sm2.SM2PrivateKey;
import cn.com.infosec.oscca.sm2.SM2PublicKey;
import cn.com.infosec.xmlparser.BinaryXMLParser;
import cn.com.infosec.xmlparser.BinaryXMLParserFactory;
import cn.com.infosec.xmlparser.XMLTag;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;

/* loaded from: input_file:cn/com/infosec/netsign/base/util/NetSignImpl.class */
public class NetSignImpl {
    public static final String MD5 = "MD5";
    public static final String MD2 = "MD2";
    public static final String SHA1 = "SHA1";
    private static HardCryptoImpl handler;
    public static final int TRIPLE_DES_CBC = 1;
    public static final int DES_CBC = 2;
    public static final int RC2_CBC = 3;
    public static final int RC4 = 4;
    public static final String PROVIDER_INFOSEC = "INFOSEC";
    public static final String PROVIDER_DATECH = "DatechCrypto";
    public static final String PROVIDER_SWXA = "SwxaJCE";
    public static final String PROVIDER_SWXA_ALG = "jce:SwxaJCE";
    private byte[] ContentData;
    private X509Certificate signCert;
    private X509Certificate encCert;
    private String[] certinfo;
    private String[] enccertinfo;
    private String digAlg = "";
    private String encAlg = "";
    private String p7Standard = null;
    private PKCS7EnvelopedData p7ed = null;
    private long signCertNotBefore;
    private long signCertNotAfter;
    private long encCertNotBefore;
    private long encCertNotAfter;
    private static HashMap signCatch;
    private static SM2Gear signGear;
    private static HashMap verifyCatch;
    private static SM2Gear verifyGear;

    static {
        Security.addProvider(new InfosecProvider());
        handler = null;
        signCatch = new HashMap();
        signGear = new SM2Gear(ExtendedConfig.getSm2SignGear());
        verifyCatch = new HashMap();
        verifyGear = new SM2Gear(ExtendedConfig.getSm2VerifyGear());
    }

    public void setP7Standard(String str) {
        this.p7Standard = str;
    }

    public String getEncAlg() {
        return this.encAlg;
    }

    public static KeyPair generateDatechKeyPair(String str) throws Exception {
        SecureRandom secureRandom = SecureRandom.getInstance(str, PROVIDER_DATECH);
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", PROVIDER_DATECH);
        keyPairGenerator.initialize(1024, secureRandom);
        return keyPairGenerator.genKeyPair();
    }

    public byte[] hash1Base64(byte[] bArr) throws IOException {
        SHA1Digest sHA1Digest = new SHA1Digest();
        byte[] bArr2 = new byte[sHA1Digest.getDigestSize()];
        sHA1Digest.update(bArr, 0, bArr.length);
        sHA1Digest.doFinal(bArr2, 0);
        return Base64.encode(bArr2).getBytes();
    }

    public static void setHardCryptoHandler(HardCryptoImpl hardCryptoImpl) {
        handler = hardCryptoImpl;
    }

    public String[] getEncCertInfo() {
        return this.enccertinfo;
    }

    public String[] getSignCertInfo() {
        return this.certinfo;
    }

    public X509Certificate getSignCert() {
        return this.signCert;
    }

    private void getEncCerttmp() {
        this.enccertinfo = new String[5];
        this.enccertinfo[0] = this.encCert.getSubjectDN().getName();
        this.enccertinfo[1] = this.encCert.getIssuerDN().getName();
        this.encCertNotBefore = this.encCert.getNotBefore().getTime();
        this.encCertNotAfter = this.encCert.getNotAfter().getTime();
        this.enccertinfo[2] = new Date(this.encCertNotBefore).toString();
        this.enccertinfo[3] = new Date(this.encCertNotAfter).toString();
        this.enccertinfo[4] = this.encCert.getSerialNumber().toString(16).toUpperCase();
        this.encCertNotBefore /= 1000;
        this.encCertNotAfter /= 1000;
    }

    private void getSignCerttmp() {
        this.certinfo = new String[5];
        this.certinfo[0] = this.signCert.getSubjectDN().getName();
        this.certinfo[1] = this.signCert.getIssuerDN().getName();
        this.signCertNotBefore = this.signCert.getNotBefore().getTime() / 1000;
        this.signCertNotAfter = this.signCert.getNotAfter().getTime() / 1000;
        this.certinfo[2] = new StringBuffer(String.valueOf(this.signCertNotBefore)).toString();
        this.certinfo[3] = new StringBuffer(String.valueOf(this.signCertNotAfter)).toString();
        this.certinfo[4] = this.signCert.getSerialNumber().toString(16).toUpperCase();
    }

    public String getCertExtensionValue(String str) {
        try {
            return CryptoUtil.getExtern(this.signCert.getExtensionValue(str));
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            return null;
        }
    }

    public String getSignCertInfo(int i) {
        return this.certinfo[i - 1];
    }

    public String getEncCertInfo(int i) {
        return this.enccertinfo[i - 1];
    }

    public byte[] getContentData() {
        return this.ContentData;
    }

    public byte[] GenerateHardSignedMsg(byte[] bArr, byte[] bArr2, Certificate[] certificateArr, String str, boolean z) throws CryptoException, InvalidParameterException, NoSuchAlgorithmException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The PlainText Is Null");
        }
        PKCS7HardSignedData pKCS7HardSignedData = new PKCS7HardSignedData(bArr2, certificateArr, str, "RSA");
        PKCS7HardSignedData.SetCryptoHandler(handler);
        pKCS7HardSignedData.update(bArr);
        return !z ? pKCS7HardSignedData.getEncoded(bArr) : pKCS7HardSignedData.getEncoded();
    }

    public byte[] GenerateSingleSignedMsg(byte[] bArr, PrivateKey privateKey, X509Certificate[] x509CertificateArr, DERObject[] dERObjectArr, Hashtable hashtable, String str, boolean z, String str2) throws InvalidParameterException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        PKCS7SignedData pKCS7SignedData = new PKCS7SignedData(privateKey, x509CertificateArr, dERObjectArr, hashtable, str, str2);
        pKCS7SignedData.update(bArr, 0, bArr.length);
        return !z ? pKCS7SignedData.getEncoded(bArr, this.p7Standard) : pKCS7SignedData.getEncoded((byte[]) null, this.p7Standard);
    }

    public byte[] GenerateCMSSingleSignedMsg(byte[] bArr, PrivateKey privateKey, X509Certificate x509Certificate, String str, boolean z, String str2) throws InvalidParameterException, SignatureException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        try {
            return BCCMSSignedDataGenerator.generateCMSSignedData(bArr, privateKey, x509Certificate, str, z, str2);
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new SignatureException(e.toString());
        }
    }

    public byte[] GenerateSingleSignedMsg(byte[] bArr, SM2PrivateKey sM2PrivateKey, SM2Certificate sM2Certificate, DERObject[] dERObjectArr, Hashtable hashtable, String str, boolean z) throws InvalidParameterException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        PKCS7SignedData pKCS7SignedData = new PKCS7SignedData(sM2PrivateKey, str, sM2Certificate, dERObjectArr, hashtable, Utils.getOSCCApucID(2, null));
        pKCS7SignedData.update(bArr, 0, bArr.length);
        return !z ? pKCS7SignedData.getEncoded(bArr, this.p7Standard) : pKCS7SignedData.getEncoded((byte[]) null, this.p7Standard);
    }

    public byte[] GenerateSM2CMSSingleSignedMsg(byte[] bArr, SM2PrivateKey sM2PrivateKey, SM2Certificate sM2Certificate, String str, boolean z) throws InvalidParameterException, SignatureException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        try {
            return BCCMSSignedDataGenerator.generateSM2CMSSignedData(bArr, sM2PrivateKey, sM2Certificate, str, z);
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new SignatureException(e);
        }
    }

    public void verifyHardSignedMsg(byte[] bArr, byte[] bArr2, Map map, boolean z) throws InvalidParameterException, CryptoException, SecurityException, VerifySignatureException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, NotInTrustListException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        PKCS7HardSignedData pKCS7HardSignedData = new PKCS7HardSignedData(bArr);
        PKCS7HardSignedData.SetCryptoHandler(handler);
        this.signCert = pKCS7HardSignedData.getSigningCertificate();
        getSignCerttmp();
        TrustConfig trustConfig = (TrustConfig) map.get(this.signCert.getIssuerDN().getName());
        if (trustConfig != null) {
            trustConfig.VerifyCert(this.signCert, null, z, PROVIDER_INFOSEC, this.signCertNotBefore, this.signCertNotAfter);
            if (trustConfig.isOCSPEnabled()) {
                trustConfig.VerifyOCSP(this.signCert);
            } else if (trustConfig.isCrlEnabled()) {
                checkCrlVerifyResult(trustConfig.VerifyCRL(this.signCert));
            }
        } else {
            Certificate[] certificates = pKCS7HardSignedData.getCertificates();
            if (certificates == null || certificates.length < 2) {
                throw new CertTrustException("Not In Trust List");
            }
            verifyCert(this.signCert, certificates, map, z);
        }
        pKCS7HardSignedData.updateContent(bArr2);
        if (!pKCS7HardSignedData.verify()) {
            throw new VerifySignatureException("signature was not verified ");
        }
    }

    public static void checkCrlVerifyResult(int i) throws CertRevokedException {
        switch (i) {
            case 1:
                throw new CertRevokedException("The SignCert has been revoked");
            case 2:
                throw new CertRevokedException("The CRL file not found");
            case 3:
                throw new CertRevokedException("The CRL file has bean expired");
            default:
                return;
        }
    }

    public void verifyHardSignedMsg(byte[] bArr, Map map, boolean z) throws InvalidParameterException, CryptoException, SecurityException, VerifySignatureException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, NotInTrustListException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        PKCS7HardSignedData pKCS7HardSignedData = new PKCS7HardSignedData(bArr);
        PKCS7HardSignedData.SetCryptoHandler(handler);
        this.digAlg = pKCS7HardSignedData.getDigAlg();
        this.signCert = pKCS7HardSignedData.getSigningCertificate();
        getSignCerttmp();
        TrustConfig trustConfig = (TrustConfig) map.get(this.signCert.getIssuerDN().getName());
        if (trustConfig != null) {
            trustConfig.VerifyCert(this.signCert, null, z, PROVIDER_INFOSEC, this.signCertNotBefore, this.signCertNotAfter);
            if (trustConfig.isOCSPEnabled()) {
                trustConfig.VerifyOCSP(this.signCert);
            } else if (trustConfig.isCrlEnabled()) {
                checkCrlVerifyResult(trustConfig.VerifyCRL(this.signCert));
            }
        } else {
            Certificate[] certificates = pKCS7HardSignedData.getCertificates();
            if (certificates == null || certificates.length < 2) {
                throw new CertTrustException("Not In Trust List");
            }
            verifyCert(this.signCert, certificates, map, z);
        }
        if (!pKCS7HardSignedData.verify()) {
            throw new VerifySignatureException("signature was not verified ");
        }
        this.ContentData = pKCS7HardSignedData.getContentData();
    }

    public void VerifySingleSignedMsg(byte[] bArr, byte[] bArr2, Map map, String str, String str2, boolean z, boolean z2) throws InvalidParameterException, SecurityException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, SignatureException, VerifySignatureException, NotInTrustListException, CMSDigestVerifyException {
        if (bArr2 == null || bArr2.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        if ((bArr[1] & 255) == 128) {
            verifyCMSSignedData(bArr, bArr2, map, str, str2, z, z2, false);
            return;
        }
        try {
            PKCS7SignedDataFX pKCS7SignedDataFX = new PKCS7SignedDataFX(bArr, str, str2, this.p7Standard);
            this.signCert = pKCS7SignedDataFX.getSigningCertificate();
            this.digAlg = pKCS7SignedDataFX.getDigAlg();
            getSignCerttmp();
            if (z2) {
                TrustConfig trustConfig = (TrustConfig) map.get(this.signCert.getIssuerDN().getName());
                if (trustConfig != null) {
                    trustConfig.VerifyCert(this.signCert, pKCS7SignedDataFX.getSignCertTBS(), z, str, this.signCertNotBefore, this.signCertNotAfter);
                    if (trustConfig.isOCSPEnabled()) {
                        trustConfig.VerifyOCSP(this.signCert);
                    } else if (trustConfig.isCrlEnabled()) {
                        checkCrlVerifyResult(trustConfig.VerifyCRL(this.signCert));
                    }
                } else {
                    Certificate[] certificates = pKCS7SignedDataFX.getCertificates();
                    if (certificates == null || certificates.length < 2) {
                        throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(this.signCert.getIssuerDN().toString()).append(" subject:").append(this.signCert.getSubjectDN().toString()).toString());
                    }
                    verifyCert(this.signCert, certificates, map, z);
                }
            }
            pKCS7SignedDataFX.update(bArr2, 0, bArr2.length);
            if (!pKCS7SignedDataFX.verify()) {
                throw new VerifySignatureException("signature was not verified ");
            }
        } catch (CRLException e) {
            throw new SecurityException(e);
        } catch (CertificateException e2) {
            throw new SecurityException(e2);
        } catch (Throwable th) {
            throw new SecurityException("Not a well formed PKCS7 msg", th);
        }
    }

    public void afterwardsVerifySingleSignedMsg(byte[] bArr, byte[] bArr2, Map map, String str, String str2) throws InvalidParameterException, SecurityException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertTrustException, CertValidateException, SignatureException, VerifySignatureException, NotInTrustListException, VerifyOCSPException, CertRevokedException, CMSDigestVerifyException {
        if (bArr2 == null || bArr2.length == 0) {
            throw new InvalidParameterException("The PlainText Is NULL");
        }
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        if ((bArr[1] & 255) == 128) {
            verifyCMSSignedData(bArr, bArr2, map, str, str2, false, true, true);
            return;
        }
        try {
            PKCS7SignedDataFX pKCS7SignedDataFX = new PKCS7SignedDataFX(bArr, str, str2, this.p7Standard);
            this.signCert = pKCS7SignedDataFX.getSigningCertificate();
            getSignCerttmp();
            TrustConfig trustConfig = (TrustConfig) map.get(this.signCert.getIssuerDN().getName());
            if (trustConfig != null) {
                trustConfig.VerifyCert(this.signCert, pKCS7SignedDataFX.getSignCertTBS(), false, str, this.signCertNotBefore, this.signCertNotAfter);
            } else {
                Certificate[] certificates = pKCS7SignedDataFX.getCertificates();
                if (certificates == null || certificates.length < 2) {
                    throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(this.signCert.getIssuerDN().toString()).append(" subject:").append(this.signCert.getSubjectDN().toString()).toString());
                }
                afterwardsVerifyCert(this.signCert, certificates, map);
            }
            pKCS7SignedDataFX.update(bArr2, 0, bArr2.length);
            if (!pKCS7SignedDataFX.verify()) {
                throw new VerifySignatureException("signature was not verified ");
            }
        } catch (CRLException e) {
            throw new SecurityException(e);
        } catch (CertificateException e2) {
            throw new SecurityException(e2);
        }
    }

    public void VerifySingleSignedMsg(byte[] bArr, Map map, String str, String str2, boolean z, boolean z2) throws InvalidParameterException, SecurityException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, SignatureException, VerifySignatureException, NotInTrustListException, CMSDigestVerifyException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        if ((bArr[1] & 255) == 128) {
            verifyCMSSignedData(bArr, null, map, str, str2, z, z2, false);
            return;
        }
        try {
            PKCS7SignedDataFX pKCS7SignedDataFX = new PKCS7SignedDataFX(bArr, str, str2, this.p7Standard);
            this.signCert = pKCS7SignedDataFX.getSigningCertificate();
            this.digAlg = pKCS7SignedDataFX.getDigAlg();
            getSignCerttmp();
            if (z2) {
                TrustConfig trustConfig = (TrustConfig) map.get(this.certinfo[1]);
                if (trustConfig != null) {
                    trustConfig.VerifyCert(this.signCert, pKCS7SignedDataFX.getSignCertTBS(), z, str, this.signCertNotBefore, this.signCertNotAfter);
                    if (trustConfig.isOCSPEnabled()) {
                        trustConfig.VerifyOCSP(this.signCert);
                    } else if (trustConfig.isCrlEnabled()) {
                        checkCrlVerifyResult(trustConfig.VerifyCRL(this.signCert));
                    }
                } else {
                    Certificate[] certificates = pKCS7SignedDataFX.getCertificates();
                    if (certificates == null || certificates.length < 2) {
                        throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(this.signCert.getIssuerDN().toString()).append(" subject:").append(this.signCert.getSubjectDN().toString()).toString());
                    }
                    verifyCert(this.signCert, certificates, map, z);
                }
            }
            this.ContentData = pKCS7SignedDataFX.getContentData();
            pKCS7SignedDataFX.update(this.ContentData, 0, this.ContentData.length);
            if (!pKCS7SignedDataFX.verify()) {
                throw new VerifySignatureException("signature was not verified ");
            }
        } catch (CRLException e) {
            throw new SecurityException(e);
        } catch (CertificateException e2) {
            throw new SecurityException(e2);
        } catch (Throwable th) {
            throw new SecurityException("Not a well formed PKCS7 msg", th);
        }
    }

    public void verifyCMSSignedData(byte[] bArr, byte[] bArr2, Map map, String str, String str2, boolean z, boolean z2, boolean z3) throws InvalidParameterException, SecurityException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, SignatureException, VerifySignatureException, NotInTrustListException, CMSDigestVerifyException {
        try {
            InfosecCMSSignedData parse = BCCMSSignedDataParser.parse(bArr);
            this.signCert = parse.getSignCert();
            if (this.signCert == null) {
                throw new SecurityException("Signing certificate not found in the SignedData");
            }
            getSignCerttmp();
            try {
                byte[] tBSCertificate = this.signCert.getTBSCertificate();
                if (z2) {
                    if (z3) {
                        z = false;
                    }
                    TrustConfig trustConfig = (TrustConfig) map.get(this.certinfo[1]);
                    if (trustConfig != null) {
                        trustConfig.VerifyCert(this.signCert, tBSCertificate, z, str, this.signCertNotBefore, this.signCertNotAfter);
                        if (!z3) {
                            if (trustConfig.isOCSPEnabled()) {
                                trustConfig.VerifyOCSP(this.signCert);
                            } else if (trustConfig.isCrlEnabled()) {
                                checkCrlVerifyResult(trustConfig.VerifyCRL(this.signCert));
                            }
                        }
                    } else {
                        X509Certificate[] certChain = parse.getCertChain();
                        if (certChain == null || certChain.length < 2) {
                            throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(this.signCert.getIssuerDN().toString()).append(" subject:").append(this.signCert.getSubjectDN().toString()).toString());
                        }
                        if (z3) {
                            afterwardsVerifyCert(this.signCert, certChain, map);
                        } else {
                            verifyCert(this.signCert, certChain, map, z);
                        }
                    }
                }
                this.ContentData = parse.getContent();
                if (this.ContentData == null) {
                    this.ContentData = bArr2;
                }
                this.digAlg = parse.getDigestAlg();
                String algrithmNameByOid = OID.getAlgrithmNameByOid(this.digAlg);
                if (algrithmNameByOid != null) {
                    this.digAlg = algrithmNameByOid;
                } else {
                    String algName = PKCS7SignedDataFX.getAlgName(this.digAlg);
                    if (algName == null) {
                        throw new NoSuchAlgorithmException(new StringBuffer("Unsupport digest algrithm:").append(algName).toString());
                    }
                    this.digAlg = algName;
                }
                if (str2 != null && !this.digAlg.startsWith(str2)) {
                    throw new SecurityException(new StringBuffer("The digest algoritm is not match, ").append(this.digAlg).append(" ").append(str2).toString());
                }
                byte[] tbs = parse.getTbs();
                if (tbs == null) {
                    tbs = this.ContentData;
                } else if (!Arrays.equals(tbs, this.ContentData)) {
                    byte[] contentDigest = parse.getContentDigest();
                    if (contentDigest == null) {
                        throw new SecurityException("Content digest not found in the SignedData");
                    }
                    if (!Arrays.equals(this.digAlg.startsWith("SM3") ? OSCCAMessageDigest.SM3Digest((byte[]) null, (byte[]) null, (byte[]) null, this.ContentData) : MessageDigest.getInstance(this.digAlg, PROVIDER_INFOSEC).digest(this.ContentData), contentDigest)) {
                        throw new CMSDigestVerifyException();
                    }
                }
                byte[] signature = parse.getSignature();
                if (this.signCert.getPublicKey() instanceof JCESM2PublicKey) {
                    try {
                        if (SDFJNI.SM2VierifyWithExternalKey(tbs, this.digAlg, signature, this.signCert.getPublicKey().getEncoded(), ExtendedConfig.getSM3SignpucID())) {
                            return;
                        } else {
                            throw new VerifySignatureException("Signature verify failed");
                        }
                    } catch (CryptoException e) {
                        throw new VerifySignatureException(e.toString());
                    }
                }
                Signature signature2 = Signature.getInstance(new StringBuffer(String.valueOf(this.digAlg)).append("withRSA").toString(), str);
                signature2.initVerify(this.signCert.getPublicKey());
                signature2.update(tbs);
                if (!signature2.verify(signature)) {
                    throw new VerifySignatureException("Signature verify failed");
                }
            } catch (Exception e2) {
                ConsoleLogger.logException(e2);
                throw new SignatureException(e2.toString());
            }
        } catch (Exception e3) {
            ConsoleLogger.logException(e3);
            throw new SecurityException("Not a well formed PKCS7 msg", e3);
        }
    }

    public void afterwardsVerifySingleSignedMsg(byte[] bArr, Map map, String str, String str2) throws InvalidParameterException, SecurityException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, CertTrustException, CertValidateException, SignatureException, VerifySignatureException, NotInTrustListException, VerifyOCSPException, CertRevokedException, CMSDigestVerifyException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Signed Message Is NULL");
        }
        if ((bArr[1] & 255) == 128) {
            verifyCMSSignedData(bArr, null, map, str, str2, false, true, true);
            return;
        }
        try {
            PKCS7SignedDataFX pKCS7SignedDataFX = new PKCS7SignedDataFX(bArr, str, str2, this.p7Standard);
            this.signCert = pKCS7SignedDataFX.getSigningCertificate();
            this.digAlg = pKCS7SignedDataFX.getDigAlg();
            getSignCerttmp();
            TrustConfig trustConfig = (TrustConfig) map.get(this.certinfo[1]);
            if (trustConfig != null) {
                trustConfig.VerifyCert(this.signCert, pKCS7SignedDataFX.getSignCertTBS(), false, str, this.signCertNotBefore, this.signCertNotAfter);
            } else {
                Certificate[] certificates = pKCS7SignedDataFX.getCertificates();
                if (certificates == null || certificates.length < 2) {
                    throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(this.signCert.getIssuerDN().toString()).append(" subject:").append(this.signCert.getSubjectDN().toString()).toString());
                }
                afterwardsVerifyCert(this.signCert, certificates, map);
            }
            this.ContentData = pKCS7SignedDataFX.getContentData();
            pKCS7SignedDataFX.update(this.ContentData, 0, this.ContentData.length);
            if (!pKCS7SignedDataFX.verify()) {
                throw new VerifySignatureException("signature was not verified ");
            }
        } catch (CRLException e) {
            throw new SecurityException(e);
        } catch (CertificateException e2) {
            throw new SecurityException(e2);
        } catch (Throwable th) {
            throw new SecurityException("Not a well formed PKCS7 msg", th);
        }
    }

    public void verifySingleSignedCert(X509Certificate x509Certificate, Certificate[] certificateArr, Map map, boolean z) throws CertTrustException, CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, NotInTrustListException {
        String trimDN = CertificateUtil.trimDN(x509Certificate.getIssuerDN().toString());
        TrustConfig trustConfig = (TrustConfig) map.get(trimDN);
        if (trustConfig == null) {
            trustConfig = (TrustConfig) map.get(CertificateUtil.turnDN(trimDN));
        }
        if (trustConfig == null) {
            if (certificateArr == null || certificateArr.length < 2) {
                throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(x509Certificate.getIssuerDN().toString()).append(" subject:").append(x509Certificate.getSubjectDN().toString()).toString());
            }
            this.signCert = x509Certificate;
            verifyCert(x509Certificate, certificateArr, map, z);
            return;
        }
        trustConfig.VerifyCert(x509Certificate, null, z, ExtendedConfig.getVerifyProvider(), x509Certificate.getNotBefore().getTime() / 1000, x509Certificate.getNotAfter().getTime() / 1000);
        if (trustConfig.isOCSPEnabled()) {
            trustConfig.VerifyOCSP(x509Certificate);
        } else if (trustConfig.isCrlEnabled()) {
            checkCrlVerifyResult(trustConfig.VerifyCRL(x509Certificate));
        }
    }

    public void afterwardsVerifyCert(X509Certificate x509Certificate, Map map) throws CertTrustException, CertTrustException, NotInTrustListException, CertValidateException {
        TrustConfig trustConfig = (TrustConfig) map.get(CryptoUtil.trimDN(x509Certificate.getIssuerDN().getName()));
        if (trustConfig == null) {
            throw new NotInTrustListException(new StringBuffer("Not in trust list:issuer:").append(x509Certificate.getIssuerDN().toString()).append(" subject:").append(x509Certificate.getSubjectDN().toString()).toString());
        }
        trustConfig.VerifyCert(x509Certificate, null, false, PROVIDER_INFOSEC, x509Certificate.getNotBefore().getTime() / 1000, x509Certificate.getNotAfter().getTime() / 1000);
    }

    public byte[] composeSingleEnvelopedMsg(byte[] bArr, X509Certificate x509Certificate, String str, String str2, PublicKey publicKey) throws InvalidParameterException, NoSuchProviderException, NoSuchAlgorithmException, EncryptDataException, EncryptKeyException, WriteEnvDataException {
        PKCS7EnvelopedData pKCS7EnvelopedData = new PKCS7EnvelopedData();
        if (x509Certificate == null) {
            throw new InvalidParameterException("The EncCert Is NuLL");
        }
        if (bArr == null) {
            throw new InvalidParameterException("The PlainText Is NuLL");
        }
        return pKCS7EnvelopedData.encrypt(bArr, x509Certificate, str, str2, publicKey);
    }

    public byte[] decomposeSingleEnvelopedMsg(byte[] bArr, X509Certificate x509Certificate, PrivateKey privateKey, String str) throws InvalidParameterException, CertificateNotMatchException, DecryptKeyException, DecryptDataException, SecurityException, NoSuchAlgorithmException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Envelope Data Is NULL");
        }
        if (x509Certificate == null) {
            throw new InvalidParameterException("The Cert  Is NULL");
        }
        this.encCert = x509Certificate;
        getEncCerttmp();
        this.p7ed = new PKCS7EnvelopedData();
        byte[] decrypt = this.p7ed.decrypt(bArr, x509Certificate, privateKey, str);
        this.ContentData = decrypt;
        this.encAlg = this.p7ed.getEncAlg();
        return decrypt;
    }

    public byte[] composeHardSingleEnvelopedMsg(byte[] bArr, X509Certificate x509Certificate, String str) throws InvalidParameterException, WriteEnvDataException, CryptoException {
        PKCS7HardEnvelopedData pKCS7HardEnvelopedData = new PKCS7HardEnvelopedData();
        if (x509Certificate == null) {
            throw new InvalidParameterException("The EncCert Is NuLL");
        }
        if (bArr == null) {
            throw new InvalidParameterException("The PlainText Is NuLL");
        }
        return pKCS7HardEnvelopedData.encrypt(bArr, x509Certificate, str, handler);
    }

    public byte[] decomposeHardSingleEnvelopedMsg(byte[] bArr, X509Certificate x509Certificate, byte[] bArr2) throws InvalidParameterException, CertificateNotMatchException, SecurityException, CryptoException, NoSuchAlgorithmException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException("The Envelope Data Is NULL");
        }
        if (x509Certificate == null) {
            throw new InvalidParameterException("The Cert Data Is NULL");
        }
        this.encCert = x509Certificate;
        getEncCerttmp();
        PKCS7HardEnvelopedData pKCS7HardEnvelopedData = new PKCS7HardEnvelopedData();
        byte[] decrypt = pKCS7HardEnvelopedData.decrypt(bArr2, bArr, x509Certificate, handler);
        this.ContentData = decrypt;
        this.encAlg = pKCS7HardEnvelopedData.getEncAlg();
        return decrypt;
    }

    public void verifyCert(X509Certificate x509Certificate, Certificate[] certificateArr, Map map, boolean z) throws CertTrustException, CertValidateException, CertRevokedException, VerifyOCSPException, NotInTrustListException {
        checkValidity(x509Certificate);
        NetSignCertPath[] build = NetSignCertPathBuilder.build(x509Certificate, convertCertificate(certificateArr, x509Certificate));
        String[] strArr = (String[]) map.keySet().toArray(new String[0]);
        boolean z2 = false;
        for (NetSignCertPath netSignCertPath : build) {
            int size = netSignCertPath.size();
            for (int i = 0; i < size; i++) {
                int[] mostCloseIssuer = netSignCertPath.mostCloseIssuer(strArr, i);
                if (mostCloseIssuer != null) {
                    z2 = true;
                    NetSignCertPath subPath = netSignCertPath.subPath(0, mostCloseIssuer[1] + 1);
                    TrustConfig trustConfig = (TrustConfig) map.get(strArr[mostCloseIssuer[0]]);
                    try {
                        subPath.verify(((X509Certificate) trustConfig.getRootCertList().get(0)).getPublicKey(), z);
                        if (trustConfig.isOCSPEnabled()) {
                            trustConfig.VerifyOCSP(x509Certificate);
                        } else if (trustConfig.isCrlEnabled()) {
                            checkCrlVerifyResult(trustConfig.VerifyCRL(x509Certificate));
                        }
                        return;
                    } catch (Exception e) {
                        ConsoleLogger.logString(e.toString());
                    }
                }
            }
        }
        if (0 == 0) {
            if (!z2) {
                throw new NotInTrustListException("The SignCert not in trust list");
            }
            throw new CertTrustException("The SignCert not verified");
        }
    }

    public void afterwardsVerifyCert(X509Certificate x509Certificate, Certificate[] certificateArr, Map map) throws CertTrustException, CertValidateException, NotInTrustListException {
        checkValidity(x509Certificate);
        NetSignCertPath[] build = NetSignCertPathBuilder.build(x509Certificate, convertCertificate(certificateArr, x509Certificate));
        String[] strArr = (String[]) map.keySet().toArray(new String[0]);
        boolean z = false;
        for (NetSignCertPath netSignCertPath : build) {
            int size = netSignCertPath.size();
            for (int i = 0; i < size; i++) {
                int[] mostCloseIssuer = netSignCertPath.mostCloseIssuer(strArr, i);
                if (mostCloseIssuer != null) {
                    z = true;
                    NetSignCertPath subPath = netSignCertPath.subPath(0, mostCloseIssuer[1] + 1);
                    X509Certificate x509Certificate2 = (X509Certificate) ((TrustConfig) map.get(strArr[mostCloseIssuer[0]])).getRootCertList().get(0);
                    PublicKey publicKey = null;
                    try {
                        publicKey = Utils.getCertType(x509Certificate2) == 1 ? new SM2Certificate(x509Certificate2, x509Certificate2.getEncoded(), x509Certificate2.getTBSCertificate()).getPublicKey() : x509Certificate2.getPublicKey();
                    } catch (Exception e) {
                        ConsoleLogger.logException(e);
                    }
                    try {
                        subPath.verify(publicKey, false);
                        return;
                    } catch (Exception e2) {
                        ConsoleLogger.logString(e2.toString());
                    }
                }
            }
        }
        if (0 == 0) {
            if (!z) {
                throw new NotInTrustListException("The SignCert not in trust list");
            }
            throw new CertTrustException("The SignCert not verified");
        }
    }

    private void checkValidity(X509Certificate x509Certificate) throws CertValidateException {
        if (ExtendedConfig.isCheckCertValidity()) {
            try {
                x509Certificate.checkValidity();
            } catch (Exception e) {
                throw new CertValidateException(new StringBuffer("Certificate:").append(x509Certificate.getSubjectDN().getName()).toString());
            }
        }
    }

    private X509Certificate[] convertCertificate(Certificate[] certificateArr, X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr;
        if (certificateArr == null || certificateArr.length == 0) {
            x509CertificateArr = new X509Certificate[]{x509Certificate};
        } else {
            x509CertificateArr = new X509Certificate[certificateArr.length];
            int length = certificateArr.length;
            for (int i = 0; i < length; i++) {
                x509CertificateArr[i] = (X509Certificate) certificateArr[i];
            }
        }
        return x509CertificateArr;
    }

    public String getDigestAlg() {
        return this.digAlg;
    }

    public void verifyQLBKB(byte[] bArr, byte[] bArr2, String str, PublicKey publicKey, String str2) throws SignatureException, SignatureStructureException, PlaintextStructureException, NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", str2);
        cipher.init(2, publicKey);
        byte[] doFinal = cipher.doFinal(bArr2);
        ConsoleLogger.logBinary("QLBKB decrypted signaute", doFinal);
        MessageDigest messageDigest = MessageDigest.getInstance(str, str2);
        int digestLength = messageDigest.getDigestLength();
        if (doFinal.length < digestLength * 2) {
            throw new SignatureStructureException("the signature did not contained two hashed datas");
        }
        byte[] bArr3 = new byte[digestLength];
        System.arraycopy(doFinal, doFinal.length - (digestLength * 2), bArr3, 0, digestLength);
        ConsoleLogger.logBinary("QLBKB digest 1 in signature", bArr3);
        byte[] bArr4 = new byte[digestLength];
        System.arraycopy(doFinal, doFinal.length - digestLength, bArr4, 0, digestLength);
        ConsoleLogger.logBinary("QLBKB digest 2 in signature", bArr4);
        byte[] digest = messageDigest.digest(bArr);
        ConsoleLogger.logBinary("QLBKB digest of all xml data", digest);
        if (!Arrays.equals(bArr3, digest)) {
            throw new SignatureException("Digest 1 not matched");
        }
        try {
            byte[] viewInQLBKB = getViewInQLBKB(bArr);
            ConsoleLogger.logBinary("QLBKB view data", viewInQLBKB);
            ConsoleLogger.logString(viewInQLBKB);
            if (viewInQLBKB.length == 0) {
                throw new SignatureStructureException("no attribute named \"name\" in the xml");
            }
            byte[] digest2 = messageDigest.digest(viewInQLBKB);
            ConsoleLogger.logBinary("QLBKB digest of view data", digest2);
            if (!Arrays.equals(bArr4, digest2)) {
                throw new SignatureException("Digest 2 not matched");
            }
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new SignatureStructureException(e.toString());
        }
    }

    private byte[] getViewInQLBKB(byte[] bArr) {
        BinaryXMLParser binaryXMLParserFactory = BinaryXMLParserFactory.getInstance("Infosec");
        binaryXMLParserFactory.setXML(bArr);
        byte[] bArr2 = new byte[0];
        while (true) {
            XMLTag startElement = binaryXMLParserFactory.getStartElement("name=\"".getBytes());
            if (startElement == null) {
                break;
            }
            byte[] attributeValue = startElement.getAttributeValue("name".getBytes());
            if (attributeValue != null) {
                int i = startElement.end + 1;
                int i2 = binaryXMLParserFactory.getEndElement(startElement.name).start - 1;
                int length = bArr2.length;
                byte[] bArr3 = new byte[(((bArr2.length + attributeValue.length) + i2) - i) + 1 + 2];
                System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
                System.arraycopy(attributeValue, 0, bArr3, length, attributeValue.length);
                System.arraycopy(bArr, i, bArr3, length + attributeValue.length, (i2 - i) + 1);
                bArr3[bArr3.length - 2] = 13;
                bArr3[bArr3.length - 1] = 10;
                bArr2 = new byte[bArr3.length];
                System.arraycopy(bArr3, 0, bArr2, 0, bArr3.length);
            }
        }
        if (bArr2.length != 0) {
            byte[] bArr4 = new byte[bArr2.length - 2];
            System.arraycopy(bArr2, 0, bArr4, 0, bArr4.length);
            bArr2 = bArr4;
        }
        return bArr2;
    }

    public void verifyRAWCert(PBCRAWCert pBCRAWCert, Map map) throws CertTrustException, CertValidateException, VerifyOCSPException, CertRevokedException, NotInTrustListException {
        String trimDN = CryptoUtil.trimDN(pBCRAWCert.getIssuerDN());
        Object turnDN = CryptoUtil.turnDN(trimDN);
        TrustConfig trustConfig = (TrustConfig) map.get(trimDN);
        if (trustConfig == null) {
            trustConfig = (TrustConfig) map.get(turnDN);
        }
        if (trustConfig == null) {
            throw new NotInTrustListException(new StringBuffer("Not In Trust List(").append(trimDN).append(")").toString());
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis < Long.parseLong(pBCRAWCert.getNotBefore()) || currentTimeMillis > Long.parseLong(pBCRAWCert.getNotAfter())) {
            Date date = new Date();
            date.setTime(Long.parseLong(pBCRAWCert.getNotBefore()));
            String date2 = date.toString();
            date.setTime(Long.parseLong(pBCRAWCert.getNotAfter()));
            throw new CertValidateException(new StringBuffer("Notbefore ").append(date2).append(" notafter ").append(date.toString()).toString());
        }
        try {
            trustConfig.VerifyCert(pBCRAWCert, ExtendedConfig.getVerifyProvider());
            if (trustConfig.isOCSPEnabled()) {
                trustConfig.VerifyOCSP(pBCRAWCert.getCert());
            } else if (trustConfig.isCrlEnabled()) {
                checkCrlVerifyResult(trustConfig.VerifyCRL(pBCRAWCert.getCert()));
            }
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new CertTrustException("Cert verify failed ");
        }
    }

    public void isRAWCertRevoked(PBCRAWCert pBCRAWCert, Map map) throws CertTrustException, VerifyOCSPException, CertRevokedException, NotInTrustListException {
        String trimDN = CryptoUtil.trimDN(pBCRAWCert.getIssuerDN());
        TrustConfig trustConfig = (TrustConfig) map.get(trimDN);
        Object turnDN = CryptoUtil.turnDN(trimDN);
        if (trustConfig == null) {
            trustConfig = (TrustConfig) map.get(turnDN);
        }
        if (trustConfig == null) {
            throw new NotInTrustListException(new StringBuffer("Not In Trust List(").append(trimDN).append(")").toString());
        }
        if (trustConfig.isOCSPEnabled()) {
            trustConfig.VerifyOCSP(pBCRAWCert.getCert());
        } else if (trustConfig.isCrlEnabled()) {
            checkCrlVerifyResult(trustConfig.VerifyCRL(pBCRAWCert.getCert()));
        }
    }

    public void verifyRAWCertChain(PBCRAWCert pBCRAWCert, Map map) throws CertTrustException, NotInTrustListException, CertValidateException {
        String trimDN = CryptoUtil.trimDN(pBCRAWCert.getIssuerDN());
        Object turnDN = CryptoUtil.turnDN(trimDN);
        TrustConfig trustConfig = (TrustConfig) map.get(trimDN);
        if (trustConfig == null) {
            trustConfig = (TrustConfig) map.get(turnDN);
        }
        if (trustConfig == null) {
            throw new NotInTrustListException(new StringBuffer("Not In Trust List(").append(trimDN).append(")").toString());
        }
        try {
            trustConfig.VerifyCert(pBCRAWCert, ExtendedConfig.getVerifyProvider());
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new CertTrustException("Cert verify failed ");
        }
    }

    public static void verifyCert(String str, byte[] bArr, byte[] bArr2, PublicKey publicKey, String str2) throws Exception {
        Signature signature = Signature.getInstance(str, str2);
        signature.initVerify(publicKey);
        signature.update(bArr);
        if (!signature.verify(bArr2)) {
            throw new Exception("Verify sign cert error.");
        }
    }

    public static void verifyCert(String str, byte[] bArr, byte[] bArr2, SM2PublicKey sM2PublicKey, byte[] bArr3) throws Exception {
        String algrithmNameByOid = OID.getAlgrithmNameByOid(str);
        if (algrithmNameByOid != null) {
            algrithmNameByOid = str;
        }
        if (!SDFJNI.SM2VierifyWithExternalKey(bArr, (algrithmNameByOid == null || algrithmNameByOid.indexOf("with") <= 0) ? "SM3" : algrithmNameByOid.split("with")[0], bArr2, sM2PublicKey, bArr3)) {
            throw new Exception("Verify sign cert error.");
        }
    }
}
