package com.xdja.pki.ca.securityaudit.service.log;

import com.xdja.pki.auditlog.dao.ArchiveLogDao;
import com.xdja.pki.auditlog.dao.model.ArchiveLogDO;
import com.xdja.pki.auditlog.service.ArchiveLogService;
import com.xdja.pki.auditlog.service.bean.ArchiveLogListVO;
import com.xdja.pki.auditlog.service.bean.ArchiveLogVO;
import com.xdja.pki.auditlog.service.bean.AuditLogIsAuditEnum;
import com.xdja.pki.auditlog.service.bean.AuditLogIsVerifyEnum;
import com.xdja.pki.auditlog.service.bean.AuditLogResultEnum;
import com.xdja.pki.auditlog.service.bean.ca.AuditLogOperatorTypeEnum;
import com.xdja.pki.auth.service.AuditLogService;
import com.xdja.pki.ca.certmanager.dao.ManagerCertDataDao;
import com.xdja.pki.ca.certmanager.dao.models.ManageCertDataDO;
import com.xdja.pki.ca.core.Constants;
import com.xdja.pki.ca.core.ca.util.gm.cert.CertUtil;
import com.xdja.pki.ca.core.common.ErrorEnum;
import com.xdja.pki.ca.core.common.Result;
import com.xdja.pki.ca.core.enums.DigestAlgEnum;
import com.xdja.pki.ca.core.enums.KeyAlgEnum;
import com.xdja.pki.ca.core.enums.SignAlgTypeEnum;
import com.xdja.pki.ca.core.pkcs7.SignedDataInfo;
import com.xdja.pki.ca.core.pkcs7.SignedDataUtil;
import com.xdja.pki.ca.core.vo.CaInfoVO;
import com.xdja.pki.ca.hsm.manager.HsmManager;
import com.xdja.pki.ca.securitymanager.dao.CaServerCertDao;
import com.xdja.pki.core.bean.CoreResult;
import com.xdja.pki.core.bean.ErrorBean;
import com.xdja.pki.core.bean.PageInfo;
import com.xdja.pki.gmssl.core.utils.GMSSLBCSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLSignatureAlgorithm;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Resource;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/ca-service-securityaudit-impl-2.0.0-SNAPSHOT.jar:com/xdja/pki/ca/securityaudit/service/log/ArchiveLogServiceImpl.class */
public class ArchiveLogServiceImpl implements ArchiveLogService {

    @Resource
    private ArchiveLogDao archiveLogDao;

    @Resource
    private CaServerCertDao caServerCertDao;

    @Resource
    private ManagerCertDataDao managerCertDataDao;

    @Resource
    private AuditLogService auditLogService;

    @Resource
    private HsmManager hsmManager;
    private static final String SHA256_WITH_RSA = GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName();
    private Logger logger = LoggerFactory.getLogger(getClass());
    private SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");

    @Override // com.xdja.pki.auditlog.service.ArchiveLogService
    public Object listArchiveLogs(Integer num, Integer num2, Integer num3, String str, String str2, boolean z) {
        if (z) {
            return generateListVO((List) this.archiveLogDao.listArchiveLog(num, num2, num3, str, str2, z));
        }
        PageInfo pageInfo = (PageInfo) this.archiveLogDao.listArchiveLog(num, num2, num3, str, str2, z);
        pageInfo.setDatas(generateListVO((List) pageInfo.getDatas()));
        return pageInfo;
    }

    private List<ArchiveLogListVO> generateListVO(List<ArchiveLogDO> list) {
        ArrayList arrayList = new ArrayList();
        for (ArchiveLogDO archiveLogDO : list) {
            ArchiveLogListVO archiveLogListVO = new ArchiveLogListVO();
            archiveLogListVO.setId(archiveLogDO.getId());
            archiveLogListVO.setOperatorSubject(archiveLogDO.getOperatorSubject());
            archiveLogListVO.setOperatorType(archiveLogDO.getOperatorType());
            archiveLogListVO.setOperatorTypeString(AuditLogOperatorTypeEnum.getDescFromType(archiveLogDO.getOperatorType()));
            archiveLogListVO.setOperateClientIp(archiveLogDO.getOperateClientIp());
            archiveLogListVO.setOperateTime(this.sdf.format(archiveLogDO.getOperateTime()));
            archiveLogListVO.setOperateResult(archiveLogDO.getOperateResult());
            archiveLogListVO.setOperateResultString(AuditLogResultEnum.getValueFromId(archiveLogDO.getOperateResult().intValue()));
            archiveLogListVO.setIsAudit(archiveLogDO.getIsAudit());
            archiveLogListVO.setIsAuditString(AuditLogIsAuditEnum.getValueFromId(archiveLogDO.getIsAudit().intValue()));
            archiveLogListVO.setArchiveTime(this.sdf.format(archiveLogDO.getArchiveTime()));
            arrayList.add(archiveLogListVO);
        }
        return arrayList;
    }

    @Override // com.xdja.pki.auditlog.service.ArchiveLogService
    public Object getArchiveLogbyId(int i, Integer num) {
        try {
            ArchiveLogDO archiveLogDO = this.archiveLogDao.get(i);
            if (null == archiveLogDO) {
                return new CoreResult(-1, null, new ErrorBean(ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getCode(), ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getDesc()));
            }
            ArchiveLogVO archiveLogVO = new ArchiveLogVO();
            archiveLogVO.setId(archiveLogDO.getId());
            archiveLogVO.setOperatorSubject(archiveLogDO.getOperatorSubject());
            archiveLogVO.setOperatorSn(archiveLogDO.getOperatorSn());
            archiveLogVO.setOperatorType(archiveLogDO.getOperatorType());
            archiveLogVO.setOperatorTypeString(AuditLogOperatorTypeEnum.getDescFromType(archiveLogDO.getOperatorType()));
            archiveLogVO.setOperateClientIp(archiveLogDO.getOperateClientIp());
            archiveLogVO.setOperateContent(archiveLogDO.getOperateContent());
            archiveLogVO.setOperateResult(archiveLogDO.getOperateResult());
            archiveLogVO.setOperateTime(this.sdf.format(archiveLogDO.getOperateTime()));
            archiveLogVO.setOperateResultString(AuditLogResultEnum.getValueFromId(archiveLogDO.getOperateResult().intValue()));
            archiveLogVO.setOperateModifyDetail(archiveLogDO.getOperateModifyDetail());
            archiveLogVO.setOperateSign(archiveLogDO.getOperateSign());
            archiveLogVO.setIsAudit(archiveLogDO.getIsAudit());
            archiveLogVO.setIsAuditString(AuditLogIsAuditEnum.getValueFromId(archiveLogDO.getIsAudit().intValue()));
            if (archiveLogDO.getIsVerify() != null) {
                archiveLogVO.setIsVerify(archiveLogDO.getIsVerify());
                archiveLogVO.setIsVerifyString(AuditLogIsVerifyEnum.getValueFromId(archiveLogDO.getIsVerify().intValue()));
            }
            if (archiveLogDO.getIsAudit().intValue() == 2) {
                archiveLogVO.setAuditSubject(archiveLogDO.getAuditSubject());
                archiveLogVO.setAuditSn(archiveLogDO.getAuditSn());
                archiveLogVO.setAuditNote(archiveLogDO.getAuditNote());
                archiveLogVO.setAuditTime(this.sdf.format(archiveLogDO.getAuditTime()));
                archiveLogVO.setAuditClientIp(archiveLogDO.getAuditClientIp());
            }
            if (null != num && num.intValue() == 1) {
                this.logger.info("get archive log info with verify!");
                archiveLogVO.setIsVerifyString(AuditLogIsVerifyEnum.getInstance((archiveLogDO.getIsAudit().intValue() == 1 ? verifyOperateSign(archiveLogDO) : verifyAuditOperateSign(archiveLogDO)).isSuccess()).value);
            }
            archiveLogVO.setArchiveTime(this.sdf.format(archiveLogDO.getArchiveTime()));
            return CoreResult.success(archiveLogVO);
        } catch (Exception e) {
            this.logger.error("获取操作日志实例异常", (Throwable) e);
            return new CoreResult(-1, null, new ErrorBean(ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getCode(), ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getDesc()));
        }
    }

    @Override // com.xdja.pki.auditlog.service.ArchiveLogService
    public CoreResult verifyArchiveLog(int i) {
        try {
            ArchiveLogDO archiveLogDO = this.archiveLogDao.get(i);
            if (null == archiveLogDO) {
                return new CoreResult(-1, null, new ErrorBean(ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getCode(), ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getDesc()));
            }
            Result verifyOperateSign = archiveLogDO.getIsAudit().intValue() == 1 ? verifyOperateSign(archiveLogDO) : verifyAuditOperateSign(archiveLogDO);
            ErrorEnum error = verifyOperateSign.getError();
            ErrorBean errorBean = new ErrorBean();
            if (null != error) {
                errorBean = new ErrorBean(error.getCode(), error.getDesc());
            }
            return new CoreResult(verifyOperateSign.getCode(), verifyOperateSign.getInfo(), errorBean);
        } catch (Exception e) {
            this.logger.error("获取操作日志实例异常", (Throwable) e);
            return new CoreResult(-1, null, new ErrorBean(ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getCode(), ErrorEnum.LOG_NOT_EXIST_OR_ARCHIVED.getDesc()));
        }
    }

    private Result verifyOperateSign(ArchiveLogDO archiveLogDO) {
        int value;
        int value2;
        this.logger.info("verify:{}", archiveLogDO);
        ManageCertDataDO queryManagerCertDataById = this.managerCertDataDao.queryManagerCertDataById(archiveLogDO.getOperatorCertId());
        if (queryManagerCertDataById == null) {
            return Result.failure(ErrorEnum.CERT_DATA_NOT_EXIST);
        }
        this.logger.info("证书：{}", queryManagerCertDataById.getData());
        X509Certificate certFromStr = CertUtil.getCertFromStr(queryManagerCertDataById.getData());
        if (certFromStr == null) {
            return Result.failure(ErrorEnum.CERT_FORMAT_ERROE);
        }
        try {
            SignedDataInfo resolve = SignedDataUtil.resolve(archiveLogDO.getOperateSign());
            byte[] content = resolve.getContent();
            byte[] signData = resolve.getSignData();
            String signAlgOId = resolve.getSignAlgOId();
            String digestAlgOId = resolve.getDigestAlgOId();
            if (GMObjectIdentifiers.sm2sign.getId().equalsIgnoreCase(signAlgOId) && GMObjectIdentifiers.sm3.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.SM2.getValue();
                value2 = DigestAlgEnum.SM3.getValue();
            } else if (PKCSObjectIdentifiers.rsaEncryption.getId().equalsIgnoreCase(signAlgOId) && NISTObjectIdentifiers.id_sha256.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.RSA.getValue();
                value2 = DigestAlgEnum.SHA256.getValue();
            } else if (PKCSObjectIdentifiers.rsaEncryption.getId().equalsIgnoreCase(signAlgOId) && OIWObjectIdentifiers.idSHA1.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.RSA.getValue();
                value2 = DigestAlgEnum.SHA1.getValue();
            } else {
                if (!signAlgOId.equals(X9ObjectIdentifiers.prime256v1.getId()) || !NISTObjectIdentifiers.id_sha256.getId().equalsIgnoreCase(digestAlgOId)) {
                    this.logger.error("不支持的 signAlgOId {} digestAlgOId {}", signAlgOId, digestAlgOId);
                    return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
                }
                value = KeyAlgEnum.NIST.getValue();
                value2 = DigestAlgEnum.SHA256.getValue();
            }
            if (!this.hsmManager.verifySign(value, value2, certFromStr.getPublicKey(), content, signData)) {
                return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
            }
            ManageCertDataDO queryManagerCertDataById2 = this.managerCertDataDao.queryManagerCertDataById(archiveLogDO.getServerCertId());
            if (queryManagerCertDataById2 == null) {
                return Result.failure(ErrorEnum.CERT_DATA_NOT_EXIST);
            }
            X509Certificate certFromStr2 = CertUtil.getCertFromStr(queryManagerCertDataById2.getData());
            boolean z = false;
            CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
            try {
                if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.SM2.getValue()) {
                    z = Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue() ? GMSSLSM2SignUtils.verifyByYunhsm(certFromStr2.getPublicKey(), archiveLogDO.operatorBase64Encode(), archiveLogDO.getServerSign()) : GMSSLSM2SignUtils.verifyByBC(certFromStr2.getPublicKey(), archiveLogDO.operatorBase64Encode(), archiveLogDO.getServerSign());
                } else if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.RSA.getValue()) {
                    z = GMSSLRSASignUtils.verifyByBC(SHA256_WITH_RSA, certFromStr2.getPublicKey(), archiveLogDO.operatorBase64Encode(), archiveLogDO.getServerSign());
                } else if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.NIST.getValue()) {
                    z = GMSSLBCSignUtils.verifySignature(SignAlgTypeEnum.SHA256_WITH_ECDSA.getAlgName(), certFromStr2.getPublicKey(), archiveLogDO.operatorBase64Encode().getBytes(), Base64.decode(archiveLogDO.getServerSign()));
                } else {
                    this.logger.error("verify audit unknown", caInfoVO.getKeyAlg());
                }
                return z ? Result.success() : Result.failure(ErrorEnum.VERIFY_SERVER_CERT_SIGN_FAIL);
            } catch (Exception e) {
                this.logger.error("verify audit error", (Throwable) e);
                return Result.failure(ErrorEnum.VERIFY_SERVER_CERT_SIGN_FAIL);
            }
        } catch (Exception e2) {
            return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
        }
    }

    private Result verifyAuditOperateSign(ArchiveLogDO archiveLogDO) {
        int value;
        int value2;
        this.logger.info("verify:{}", archiveLogDO);
        ManageCertDataDO queryManagerCertDataById = this.managerCertDataDao.queryManagerCertDataById(archiveLogDO.getAuditCertId());
        if (queryManagerCertDataById == null) {
            return Result.failure(ErrorEnum.CERT_DATA_NOT_EXIST);
        }
        this.logger.info("证书：{}", queryManagerCertDataById.getData());
        X509Certificate certFromStr = CertUtil.getCertFromStr(queryManagerCertDataById.getData());
        if (certFromStr == null) {
            return Result.failure(ErrorEnum.CERT_FORMAT_ERROE);
        }
        try {
            SignedDataInfo resolve = SignedDataUtil.resolve(archiveLogDO.getAuditSign());
            byte[] content = resolve.getContent();
            byte[] signData = resolve.getSignData();
            String signAlgOId = resolve.getSignAlgOId();
            String digestAlgOId = resolve.getDigestAlgOId();
            if (GMObjectIdentifiers.sm2sign.getId().equalsIgnoreCase(signAlgOId) && GMObjectIdentifiers.sm3.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.SM2.getValue();
                value2 = DigestAlgEnum.SM3.getValue();
            } else if (PKCSObjectIdentifiers.rsaEncryption.getId().equalsIgnoreCase(signAlgOId) && NISTObjectIdentifiers.id_sha256.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.RSA.getValue();
                value2 = DigestAlgEnum.SHA256.getValue();
            } else if (PKCSObjectIdentifiers.rsaEncryption.getId().equalsIgnoreCase(signAlgOId) && OIWObjectIdentifiers.idSHA1.getId().equalsIgnoreCase(digestAlgOId)) {
                value = KeyAlgEnum.RSA.getValue();
                value2 = DigestAlgEnum.SHA1.getValue();
            } else {
                if (!signAlgOId.equals(X9ObjectIdentifiers.prime256v1.getId()) || !NISTObjectIdentifiers.id_sha256.getId().equalsIgnoreCase(digestAlgOId)) {
                    this.logger.error("不支持的 signAlgOId {} digestAlgOId {}", signAlgOId, digestAlgOId);
                    return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
                }
                value = KeyAlgEnum.NIST.getValue();
                value2 = DigestAlgEnum.SHA256.getValue();
            }
            if (!this.hsmManager.verifySign(value, value2, certFromStr.getPublicKey(), content, signData)) {
                return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
            }
            ManageCertDataDO queryManagerCertDataById2 = this.managerCertDataDao.queryManagerCertDataById(archiveLogDO.getServerCertId());
            if (queryManagerCertDataById2 == null) {
                return Result.failure(ErrorEnum.CERT_DATA_NOT_EXIST);
            }
            X509Certificate certFromStr2 = CertUtil.getCertFromStr(queryManagerCertDataById2.getData());
            boolean z = false;
            CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
            try {
                if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.SM2.getValue()) {
                    z = Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue() ? GMSSLSM2SignUtils.verifyByYunhsm(certFromStr2.getPublicKey(), archiveLogDO.operatorWithAuditInfoBase64Encode(), archiveLogDO.getServerSign()) : GMSSLSM2SignUtils.verifyByBC(certFromStr2.getPublicKey(), archiveLogDO.operatorWithAuditInfoBase64Encode(), archiveLogDO.getServerSign());
                } else if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.RSA.getValue()) {
                    z = GMSSLRSASignUtils.verifyByBC(SHA256_WITH_RSA, certFromStr2.getPublicKey(), archiveLogDO.operatorWithAuditInfoBase64Encode(), archiveLogDO.getServerSign());
                } else if (caInfoVO.getKeyAlg().intValue() == KeyAlgEnum.NIST.getValue()) {
                    z = GMSSLBCSignUtils.verifySignature(SignAlgTypeEnum.SHA256_WITH_ECDSA.getAlgName(), certFromStr2.getPublicKey(), archiveLogDO.operatorWithAuditInfoBase64Encode().getBytes(), Base64.decode(archiveLogDO.getServerSign()));
                } else {
                    this.logger.error("verify audit unknown Constants.BASE_ALG_TYPE {}", caInfoVO.getKeyAlg());
                }
                return z ? Result.success() : Result.failure(ErrorEnum.VERIFY_SERVER_CERT_SIGN_FAIL);
            } catch (Exception e) {
                this.logger.error("verify audit error", (Throwable) e);
                return Result.failure(ErrorEnum.VERIFY_SERVER_CERT_SIGN_FAIL);
            }
        } catch (Exception e2) {
            return Result.failure(ErrorEnum.VERIFY_ADMIN_OPERATOR_SIGN_FAIL);
        }
    }
}
