package koal.usap.client.pep.ldap.biz.pki;

import com.koal.security.pki.x509.Certificate;
import java.io.File;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import koal.security.utils.Base64;
import koal.usap.client.exception.CertExceptionType;
import koal.usap.client.exception.VerifyFalseException;
import koal.usap.client.pep.bean.CertVerifyBean;
import koal.usap.client.pep.ldap.ClientLdapConfig;
import koal.usap.client.pep.ldap.impl.JitPkiLdapOper;
import koal.usap.client.pep.util.CertCheckUtil;
import koal.usap.client.pep.util.FileUtil;
import koal.usap.client.ws.util.CertUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:koal/usap/client/pep/ldap/biz/pki/JitPkiLdapForCert.class */
public class JitPkiLdapForCert implements IPkiLdapForCert {
    private static final long serialVersionUID = 1;
    public static final Logger logger = LoggerFactory.getLogger(JitPkiLdapForCert.class);
    private CertVerifyBean certVerifyBean;
    private JitPkiLdapOper ldapOper;
    private ClientLdapConfig ldapConfig;
    private ClientLdapConfig jFLdapConfig;
    private JitPkiLdapOper jFLdapOper;
    private TrustCertListCfg trustCertList;
    private TrustCrlListCfg trustCrlList;

    public JitPkiLdapForCert(ClientLdapConfig clientLdapConfig, ClientLdapConfig clientLdapConfig2, CertVerifyBean certVerifyBean) {
        this.ldapConfig = clientLdapConfig;
        this.jFLdapConfig = clientLdapConfig2;
        this.certVerifyBean = certVerifyBean;
        if (this.ldapConfig != null) {
            this.ldapOper = new JitPkiLdapOper(this.ldapConfig.getPoolName());
        }
        if (clientLdapConfig2 != null) {
            this.jFLdapOper = new JitPkiLdapOper(this.jFLdapConfig.getPoolName());
        }
    }

    @Override // koal.usap.client.pep.ldap.biz.pki.IPkiLdapForCert
    public boolean verifyCert(String str) throws Exception {
        if (null == str || str.trim().length() == 0) {
            throw new VerifyFalseException(CertExceptionType.CERT_ISNULL_ERROR);
        }
        return verifyCert(CertUtil.getCertBytes(str));
    }

    @Override // koal.usap.client.pep.ldap.biz.pki.IPkiLdapForCert
    public boolean verifyCert(X509Certificate x509Certificate) throws Exception {
        return verifyCert(CertUtil.getCert(x509Certificate));
    }

    @Override // koal.usap.client.pep.ldap.biz.pki.IPkiLdapForCert
    public boolean verifyCert(byte[] bArr) throws Exception {
        return verifyCert(CertUtil.getCert(bArr));
    }

    public boolean verifyCert(Certificate certificate) throws Exception {
        if (this.certVerifyBean.isVerifyCertChain()) {
            if (this.trustCertList == null) {
                this.trustCertList = new TrustCertListCfg();
                this.trustCertList.initConfig(this.certVerifyBean.getCertChainPath());
            }
            Certificate downloadCaCert = downloadCaCert(this.jFLdapOper, certificate, downloadCaCert(this.ldapOper, certificate, this.trustCertList.getIssuerCert(certificate)));
            if (downloadCaCert == null) {
                throw new VerifyFalseException(CertExceptionType.CERT_NOTFINDPARENTCA_ERROR);
            }
            try {
                CertCheckUtil.validateCert(certificate, downloadCaCert);
            } catch (Exception e) {
                throw e;
            }
        }
        if (this.certVerifyBean.isVerifyCrl()) {
            if (this.trustCrlList == null) {
                this.trustCrlList = new TrustCrlListCfg();
                this.trustCrlList.initConfig(this.certVerifyBean.getCrlPath());
            }
            if (!this.trustCrlList.isExistCrl(certificate)) {
                logger.debug("黑名单中是不包含了该证书颁发机构的黑名单");
                String name = certificate.getIssuer().toString();
                try {
                    downloadExtCrl(this.trustCrlList, this.ldapOper, name);
                    downloadExtCrl(this.trustCrlList, this.jFLdapOper, name);
                } catch (Exception e2) {
                    logger.error("下载黑名单出错", e2);
                }
            }
            if (!this.trustCrlList.verifyCrl(certificate)) {
                throw new VerifyFalseException(CertExceptionType.CERT_ABOLISH_ERROR.getErrCode(), CertExceptionType.CERT_ABOLISH_ERROR.getErrMes() + ":" + certificate.getSubject().toString());
            }
        }
        return true;
    }

    public Certificate downloadCaCert(JitPkiLdapOper jitPkiLdapOper, Certificate certificate, Certificate certificate2) {
        if (certificate2 == null) {
            try {
                logger.debug("上级CA在本地证书链目录下未找到");
                String issuerCommonName = certificate.getIssuerCommonName();
                String gACertSt = CertUtil.getGACertSt(certificate);
                String str = null;
                if (gACertSt != null) {
                    str = gACertSt + ",c=cn";
                } else {
                    System.out.println("通过上级颁发者获取省份出错");
                }
                logger.debug("开始通过PKI目录查找上级CA");
                String searchCaRefCert = jitPkiLdapOper.searchCaRefCert(str, "(&(objectclass=jitCA)(cn=" + issuerCommonName + "))");
                if (searchCaRefCert == null) {
                    logger.debug("PKI目录上未能查找到上级CA");
                }
                if (searchCaRefCert != null) {
                    certificate2 = new Certificate();
                    byte[] decode = Base64.decode(searchCaRefCert);
                    certificate2.decode(decode);
                    this.trustCertList.saveCert(certificate2);
                    FileUtil.writeByteArrayToFile(this.certVerifyBean.getCertChainPath() + File.separator + (issuerCommonName + ".cer"), decode);
                }
            } catch (Exception e) {
                logger.error("通过PKI目录、PKI外联目录查找上级CA失败", e);
            }
        }
        return certificate2;
    }

    public void downloadExtCrl(TrustCrlListCfg trustCrlListCfg, JitPkiLdapOper jitPkiLdapOper, String str) throws Exception {
        String stByDN = CertUtil.getStByDN(str);
        if (stByDN == null || jitPkiLdapOper == null) {
            return;
        }
        new HashMap();
        Map<String, String> searchRefCrl = jitPkiLdapOper.searchRefCrl(stByDN + ",c=cn", "(objectclass=cRLDistributionPoint)");
        if (searchRefCrl == null || searchRefCrl.size() <= 0) {
            return;
        }
        trustCrlListCfg.saveCrl(searchRefCrl);
    }

    @Override // koal.usap.client.pep.ldap.biz.pki.IPkiLdapForCert
    public void resetCrl() throws Exception {
        if (this.certVerifyBean.getCrlPath() == null) {
            logger.error("黑名单存放路径不能为空");
            return;
        }
        logger.info("开始更新黑名单");
        long currentTimeMillis = System.currentTimeMillis();
        TrustCrlListCfg trustCrlListCfg = new TrustCrlListCfg();
        trustCrlListCfg.initConfig(this.certVerifyBean.getCrlPath());
        for (String str : trustCrlListCfg.dnSet) {
            logger.info("更新黑名单：" + str);
            try {
                downloadExtCrl(trustCrlListCfg, this.ldapOper, str);
                downloadExtCrl(trustCrlListCfg, this.jFLdapOper, str);
            } catch (Exception e) {
                logger.error("下载黑名单出错", e);
            }
        }
        logger.info("更新本省黑名单结束，耗时：" + (System.currentTimeMillis() - currentTimeMillis) + "毫秒");
        this.trustCrlList = trustCrlListCfg;
    }

    public boolean isResetCrl() {
        return false;
    }
}
