package com.xdja.pki.ca.certmanager.service.kms;

import com.alibaba.fastjson.JSON;
import com.xdja.pki.ca.certmanager.service.kms.bean.ResponseBean;
import com.xdja.pki.ca.certmanager.service.kms.ca.CaRequest;
import com.xdja.pki.ca.certmanager.service.kms.ca.CaRequestGenerator;
import com.xdja.pki.ca.certmanager.service.kms.ca.KMError;
import com.xdja.pki.ca.certmanager.service.kms.ca.KMRespond;
import com.xdja.pki.ca.certmanager.service.kms.ca.KSRespond;
import com.xdja.pki.ca.certmanager.service.kms.ca.Respond;
import com.xdja.pki.ca.certmanager.service.kms.ca.RetKeyRespond;
import com.xdja.pki.ca.certmanager.service.util.ApacheClientHttpUtils;
import com.xdja.pki.ca.certmanager.service.util.CaRequestAlgOid;
import com.xdja.pki.ca.certmanager.service.util.HttpClient;
import com.xdja.pki.ca.certmanager.service.util.HttpResponse;
import com.xdja.pki.ca.certmanager.service.util.TaskNoUtil;
import com.xdja.pki.ca.core.Constants;
import com.xdja.pki.ca.core.ca.util.gm.cert.CertUtil;
import com.xdja.pki.ca.core.common.Result;
import com.xdja.pki.ca.core.configBasic.bean.XdjaKmConfigBean;
import com.xdja.pki.ca.core.enums.KmApplyTypeEnum;
import com.xdja.pki.ca.core.enums.ReqMethodEnum;
import com.xdja.pki.ca.core.exception.ServiceException;
import com.xdja.pki.ca.core.util.FileUtils;
import com.xdja.pki.ca.core.util.json.JsonUtils;
import com.xdja.pki.ca.securitymanager.service.vo.AlgTypeEnum;
import com.xdja.pki.ca.securitymanager.service.vo.CaInfoVO;
import com.xdja.pki.ca.securitymanager.service.vo.SignAlgTypeEnum;
import com.xdja.pki.gmssl.crypto.sdf.SdfCryptoType;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLSignatureAlgorithm;
import java.io.File;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service("kmsXdjaHttpService")
/* loaded from: input_file:com/xdja/pki/ca/certmanager/service/kms/XdjaKmsHttpServiceImpl.class */
public class XdjaKmsHttpServiceImpl implements KmsService {
    private HttpClient client;
    private String url;
    private X509Certificate commCert;
    private X509Certificate kmServerCert;
    private CaRequestAlgOid caRequestAlgOid;

    @Value("${config.path}")
    private String configPath;
    private Logger logger = LoggerFactory.getLogger(getClass());
    private Map<String, String> header = new HashMap();

    public ResponseBean applyEncKey(CaInfoVO caInfoVO, BigInteger bigInteger, PublicKey publicKey, Date date, Date date2, String str, String str2, String str3, int i, String str4, String str5) {
        try {
            getKmConfigInfo(caInfoVO);
            int taskNo = TaskNoUtil.getTaskNo(bigInteger);
            this.logger.debug("向KM申请非对称密钥encSN=" + bigInteger.longValue() + ",userName=" + str);
            Result sendApacheClientRequest = ApacheClientHttpUtils.sendApacheClientRequest(getCaRequestGenerator(caInfoVO).createApplyKeyRequest(taskNo, bigInteger, publicKey, date, date2, str, str2, str3, i, this.caRequestAlgOid).getEncoded(), null, this.url, "application/octet-stream", null, null, false, ReqMethodEnum.POST.name);
            this.logger.info("========= result ===========" + JsonUtils.object2Json(sendApacheClientRequest));
            HttpResponse httpResponse = (HttpResponse) sendApacheClientRequest.getInfo();
            if (httpResponse.getRespondseCode() == 400) {
                throw new RuntimeException("向信大捷安密管系统申请密钥失败:" + ((KMError) JSON.parseObject(new String(httpResponse.getResult()), KMError.class)));
            }
            this.logger.debug("调用密钥管理系统返回结果=[{}]", httpResponse.getResult());
            return parseResponse(httpResponse.getResult(), taskNo, KmApplyTypeEnum.APPLY_KEY.value);
        } catch (Exception e) {
            throw new ServiceException("向信大捷安密管系统申请密钥失败", e);
        }
    }

    public void revokeEncKey(CaInfoVO caInfoVO, BigInteger bigInteger) {
        try {
            getKmConfigInfo(caInfoVO);
            HttpResponse httpResponse = (HttpResponse) ApacheClientHttpUtils.sendApacheClientRequest(getCaRequestGenerator(caInfoVO).createRevokeKeyRequest(TaskNoUtil.getTaskNo(bigInteger), bigInteger, this.caRequestAlgOid).getEncoded(), null, this.url, "application/octet-stream", null, null, false, ReqMethodEnum.POST.name).getInfo();
            if (httpResponse.getRespondseCode() != 200) {
                throw new RuntimeException("向信大捷安密管系统申请密钥失败:" + new String(httpResponse.getResult()));
            }
        } catch (Exception e) {
            throw new ServiceException("向信大捷安密管系统撤销密钥失败", e);
        }
    }

    public ResponseBean restoreEncKey(CaInfoVO caInfoVO, BigInteger bigInteger, PublicKey publicKey) {
        try {
            getKmConfigInfo(caInfoVO);
            int taskNo = TaskNoUtil.getTaskNo(bigInteger);
            HttpResponse httpResponse = (HttpResponse) ApacheClientHttpUtils.sendApacheClientRequest(getCaRequestGenerator(caInfoVO).createRestoreKeyRequest(taskNo, bigInteger, publicKey, this.caRequestAlgOid).getEncoded(), null, this.url, "application/octet-stream", null, null, false, ReqMethodEnum.POST.name).getInfo();
            if (httpResponse.getRespondseCode() != 200) {
                throw new RuntimeException("向信大捷安密管系统申请恢复密钥失败:" + new String(httpResponse.getResult()));
            }
            return parseResponse(httpResponse.getResult(), taskNo, KmApplyTypeEnum.RESTORE_KEY.value);
        } catch (Exception e) {
            throw new ServiceException("向信大捷安密管系统恢复密钥失败", e);
        }
    }

    public ResponseBean testXdjaApplyEncKey(CaInfoVO caInfoVO, BigInteger bigInteger, PublicKey publicKey, Date date, Date date2, String str, String str2, String str3, int i, String str4, String str5) {
        try {
            getKmConfigInfo(caInfoVO);
            int taskNo = TaskNoUtil.getTaskNo(bigInteger);
            this.logger.debug("url:" + this.url);
            HttpResponse httpResponse = (HttpResponse) ApacheClientHttpUtils.sendApacheClientRequest(getCaRequestGenerator(caInfoVO).createApplyKeyRequest(taskNo, bigInteger, publicKey, date, date2, str, str2, str3, i, this.caRequestAlgOid).getEncoded(), null, this.url, "application/octet-stream", null, null, false, ReqMethodEnum.POST.name).getInfo();
            if (httpResponse.getRespondseCode() == 400) {
                throw new RuntimeException("向信大捷安密管系统申请密钥失败:" + ((KMError) JSON.parseObject(new String(httpResponse.getResult()), KMError.class)));
            }
            this.logger.debug("调用密钥管理系统返回结果=[{}]", httpResponse.getResult());
            return parseResponse(httpResponse.getResult(), taskNo, KmApplyTypeEnum.APPLY_KEY.value);
        } catch (Exception e) {
            throw new ServiceException("向信大捷安密管系统申请密钥失败", e);
        }
    }

    public ResponseBean testApplyEncKey(Map<String, Object> map, BigInteger bigInteger, PublicKey publicKey, Date date, Date date2, String str, Object obj, Object obj2, int i, String str2, String str3) {
        try {
            int taskNo = TaskNoUtil.getTaskNo(bigInteger);
            CaRequest createApplyKeyRequest = getKmTestConfigInfo(map).createApplyKeyRequest(taskNo, bigInteger, publicKey, date, date2, str, null, null, i, this.caRequestAlgOid);
            this.logger.debug("向KM申请非对称秘钥信息:" + Base64.toBase64String(createApplyKeyRequest.getEncoded()));
            HttpResponse httpResponse = (HttpResponse) ApacheClientHttpUtils.sendApacheClientRequest(createApplyKeyRequest.getEncoded(), null, this.url, null, null, null, false, ReqMethodEnum.POST.name).getInfo();
            if (httpResponse.getRespondseCode() == 400) {
                throw new RuntimeException("向信大捷安密管系统申请密钥失败:" + ((KMError) JSON.parseObject(new String(httpResponse.getResult()), KMError.class)));
            }
            this.logger.debug("调用密钥管理系统返回结果=[{}]", httpResponse.getResult());
            return parseResponse(httpResponse.getResult(), taskNo, KmApplyTypeEnum.APPLY_KEY.value);
        } catch (Exception e) {
            throw new ServiceException("向信大捷安密管系统申请密钥失败", e);
        }
    }

    private CaRequestGenerator getKmTestConfigInfo(Map<String, Object> map) {
        CaRequestGenerator caRequestGenerator;
        this.url = map.get("ip") + ":" + map.get("port");
        this.logger.debug("url:" + this.url);
        this.client = new HttpClient(this.url);
        this.header.put("Content-Type", "application/octet-stream");
        this.client.addHead("Content-Type", "application/octet-stream");
        this.commCert = (X509Certificate) map.get("appSignCert");
        this.kmServerCert = (X509Certificate) map.get("kmServerSignCert");
        this.caRequestAlgOid = buildCaRequestAlgOid();
        if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_BC.intValue()) {
            PrivateKey privateKey = (PrivateKey) map.get("appSignPrivate");
            this.logger.debug("私钥长度为：" + privateKey.getEncoded().length);
            caRequestGenerator = new CaRequestGenerator(this.commCert, privateKey);
        } else {
            caRequestGenerator = new CaRequestGenerator(this.commCert, ((Integer) map.get("keyIndex")).intValue(), (String) map.get("priKeyPwd"));
        }
        return caRequestGenerator;
    }

    private ResponseBean parseResponse(byte[] bArr, int i, int i2) {
        System.currentTimeMillis();
        this.logger.debug("KM返回结构体：" + Base64.toBase64String(bArr));
        FileUtils.saveFile(bArr, "/home/pri.dat");
        try {
            this.logger.debug("KM返回密钥");
            KMRespond kMRespond = KMRespond.getInstance(bArr);
            KSRespond ksRespond = kMRespond.getKsRespond();
            AlgorithmIdentifier signatureAlgorithm = kMRespond.getSignatureAlgorithm();
            DEROctetString signatureValue = kMRespond.getSignatureValue();
            if (i != ksRespond.getTaskNo().getValue().intValue()) {
                throw new RuntimeException("taskNo is not match!");
            }
            String sigAlgName = GMSSLSignatureAlgorithm.convertContentSignatureAlgorithm(signatureAlgorithm.getAlgorithm()).getSigAlgName();
            if (null == sigAlgName) {
                throw new RuntimeException("the signature is not support! oid:" + signatureAlgorithm.getAlgorithm().getId());
            }
            boolean verifyKmResponse = verifyKmResponse(sigAlgName, this.kmServerCert.getPublicKey(), ksRespond.getEncoded(), signatureValue.getOctets());
            if (!verifyKmResponse) {
                throw new RuntimeException("verify fault!");
            }
            if (!verifyKmResponse) {
                throw new RuntimeException("km response verify sign fault!");
            }
            Iterator it = ksRespond.getRespondList().iterator();
            Respond respond = null;
            if (it.hasNext()) {
                respond = Respond.getInstance(it.next());
            }
            if (null != respond.getErrorPkgRespond()) {
                throw new RuntimeException("请求出错:" + respond.getErrorPkgRespond().getErrNo().getValue().intValue() + "," + new String(respond.getErrorPkgRespond().getErrDesc().getOctets()));
            }
            RetKeyRespond retKeyRespond = null;
            if (KmApplyTypeEnum.APPLY_KEY.value == i2) {
                retKeyRespond = respond.getApplykeyRespond();
            } else if (KmApplyTypeEnum.RESTORE_KEY.value == i2) {
                retKeyRespond = respond.getRestorekeyRespond();
            }
            return new ResponseBean(converPublicKeyFromSubjectPublicKey(retKeyRespond.getRetPubKey(), Constants.BASE_ALG_TYPE), Base64.toBase64String(retKeyRespond.getDataEnvelope().getDEREncoded()));
        } catch (Exception e) {
            throw new RuntimeException("解析Km返回值异常", e);
        }
    }

    private boolean verifyKmResponse(String str, PublicKey publicKey, byte[] bArr, byte[] bArr2) throws Exception {
        return Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_BC.intValue() ? str.equalsIgnoreCase(SignAlgTypeEnum.SM3_WITH_SM2.algName) ? GMSSLSM2SignUtils.verifyByBC(this.kmServerCert.getPublicKey(), bArr, bArr2) : GMSSLRSASignUtils.verifyByBC(str, this.kmServerCert.getPublicKey(), bArr, bArr2) : str.equalsIgnoreCase(SignAlgTypeEnum.SM3_WITH_SM2.algName) ? GMSSLSM2SignUtils.verifyBySdf(SdfCryptoType.YUNHSM, this.kmServerCert.getPublicKey(), bArr, bArr2) : GMSSLRSASignUtils.verifyByYunHsm(str, this.kmServerCert.getPublicKey(), bArr, bArr2);
    }

    private CaRequestGenerator getCaRequestGenerator(CaInfoVO caInfoVO) {
        return Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_BC.intValue() ? new CaRequestGenerator(this.commCert, caInfoVO.getKmsoftKeyPair().getPrivate()) : new CaRequestGenerator(this.commCert, caInfoVO.getXdjaKmConfigBean().getKeyIndex().intValue(), caInfoVO.getXdjaKmConfigBean().getPriKeyPwd());
    }

    private void getKmConfigInfo(CaInfoVO caInfoVO) throws Exception {
        XdjaKmConfigBean xdjaKmConfigBean = caInfoVO.getXdjaKmConfigBean();
        this.logger.info("caInfoVo>>>>>>>>>>" + JsonUtils.object2Json(xdjaKmConfigBean));
        this.url = xdjaKmConfigBean.getKmIp() + ":" + xdjaKmConfigBean.getKmPort();
        this.client = new HttpClient(this.url);
        this.header.put("Content-Type", "application/octet-stream");
        this.client.addHead("Content-Type", "application/octet-stream");
        this.commCert = CertUtil.getUserCertByCertChain(new File(this.configPath + "km/appSignCert.p7b"));
        this.kmServerCert = CertUtil.getUserCertByCertChain(new File(this.configPath + "km/kmServerSignCert.p7b"));
        this.caRequestAlgOid = buildCaRequestAlgOid();
        if (null == xdjaKmConfigBean.getKeyIndex() || StringUtils.isBlank(xdjaKmConfigBean.getPriKeyPwd())) {
            caInfoVO.setKmsoftKeyPair(new KeyPair(CertUtil.getPublicKey(this.configPath + "km/appSignPublickey.pem"), CertUtil.getPrivateKey(this.configPath + "km/appSignPrivate.key")));
        }
    }

    private CaRequestAlgOid buildCaRequestAlgOid() {
        if (Constants.BASE_ALG_TYPE.intValue() == AlgTypeEnum.SM2.value) {
            return new CaRequestAlgOid(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1), new AlgorithmIdentifier(GMObjectIdentifiers.sm2sign_with_sm3), new AlgorithmIdentifier(GMObjectIdentifiers.sm2p256v1), new AlgorithmIdentifier(GMObjectIdentifiers.sm2p256v1), new AlgorithmIdentifier(GMObjectIdentifiers.sms4_ecb), new AlgorithmIdentifier(GMObjectIdentifiers.sm3));
        }
        if (Constants.BASE_ALG_TYPE.intValue() == AlgTypeEnum.RSA.value) {
            return new CaRequestAlgOid(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1), new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption), new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption), new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption), new AlgorithmIdentifier(GMObjectIdentifiers.sms4_ecb), new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
        }
        return null;
    }

    private PublicKey converPublicKeyFromSubjectPublicKey(SubjectPublicKeyInfo subjectPublicKeyInfo, Integer num) throws Exception {
        if (num.intValue() == AlgTypeEnum.RSA.value) {
            return KeyFactory.getInstance("RSA", "BC").generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.toASN1Primitive().getEncoded("DER")));
        }
        byte[] bytes = subjectPublicKeyInfo.getPublicKeyData().getBytes();
        if (bytes.length < 65) {
            int length = 65 - bytes.length;
            byte[] bArr = new byte[length];
            for (int i = 0; i < length; i++) {
                bArr[i] = 0;
            }
            byte[] bArr2 = new byte[bytes.length + bArr.length];
            System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
            System.arraycopy(bArr, 0, bArr2, bytes.length, bArr.length);
            bytes = bArr2;
        }
        return KeyFactory.getInstance("EC", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(new SubjectPublicKeyInfo(subjectPublicKeyInfo.getAlgorithm(), bytes).toASN1Primitive().getEncoded("DER")));
    }
}
