package com.xdja.pki.gmssl.hsm.init;

import com.xdja.pki.gmssl.crypto.init.GMSSLHSMConstants;
import com.xdja.pki.gmssl.crypto.init.GMSSLPkiCryptoInit;
import com.xdja.pki.gmssl.http.GMSSLHttpsClient;
import com.xdja.pki.gmssl.http.bean.GMSSLHttpRequest;
import com.xdja.pki.gmssl.http.bean.GMSSLHttpResponse;
import com.xdja.pki.gmssl.http.bean.GMSSLHttpsClientConfig;
import com.xdja.pki.gmssl.keystore.utils.GMSSLKeyStoreUtils;
import com.xdja.pki.gmssl.sdf.yunhsm.utils.GMSSLYunHsmUtils;
import com.xdja.pki.gmssl.x509.utils.bean.YunHsmExceptionEnum;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/gmssl-hsm-init-2.0.2-SNAPSHOT.jar:com/xdja/pki/gmssl/hsm/init/GMSSLHSMInit.class */
public class GMSSLHSMInit {
    private static Logger logger = LoggerFactory.getLogger((Class<?>) GMSSLHSMInit.class);

    public static boolean isHSMOpen() {
        boolean exists = GMSSLHSMConstants.CONFIG_PATH_FILE.exists();
        if (logger.isDebugEnabled()) {
            logger.debug("hsm open {}", Boolean.valueOf(exists));
        }
        return exists;
    }

    public static boolean isConfigFileExist() {
        boolean exists = GMSSLHSMConstants.CONFIG_FILE.exists();
        if (logger.isDebugEnabled()) {
            logger.debug("hsm open {}", Boolean.valueOf(exists));
        }
        return exists;
    }

    public static YunHsmExceptionEnum initConfigFile(String str, String str2, String str3, String str4, InputStream inputStream, InputStream inputStream2, InputStream inputStream3) {
        if (!isHSMOpen()) {
            return YunHsmExceptionEnum.CONNECT_HSM_ERROR;
        }
        try {
            GMSSLHSMConfig generateConfig = generateConfig(str, str2, str3, str4, inputStream, inputStream2, inputStream3);
            YunHsmExceptionEnum verifyConfig = verifyConfig(generateConfig);
            if (verifyConfig != YunHsmExceptionEnum.NORMAL) {
                return verifyConfig;
            }
            getKeystore(generateConfig);
            generateConfig.saveConfig();
            return YunHsmExceptionEnum.NORMAL;
        } catch (Exception e) {
            logger.error("init hsm connection error!", (Throwable) e);
            return YunHsmExceptionEnum.CONNECT_HSM_ERROR;
        }
    }

    public static void updateKeyFile() throws Exception {
        if (isHSMOpen() && isConfigFileExist()) {
            getKeystore(GMSSLHSMConfig.parseConfig(GMSSLHSMConstants.CONFIG_FILE_PATH));
        }
    }

    public static YunHsmExceptionEnum testHSMConnect(String str, String str2, String str3, String str4, InputStream inputStream, InputStream inputStream2, InputStream inputStream3) {
        if (!isHSMOpen()) {
            return YunHsmExceptionEnum.CONNECT_HSM_ERROR;
        }
        try {
            GMSSLHSMConfig generateConfig = generateConfig(str, str2, str3, str4, inputStream, inputStream2, inputStream3);
            YunHsmExceptionEnum verifyConfig = verifyConfig(generateConfig);
            if (verifyConfig != YunHsmExceptionEnum.NORMAL) {
                return verifyConfig;
            }
            boolean z = getKeystoreFromServer(generateConfig, false) != null;
            if (logger.isDebugEnabled()) {
                logger.debug("test connect config={}, isConnect={}", generateConfig, Boolean.valueOf(z));
            }
            return z ? YunHsmExceptionEnum.NORMAL : YunHsmExceptionEnum.CONNECT_HSM_ERROR;
        } catch (Exception e) {
            logger.error("test hsm connection error!", (Throwable) e);
            return YunHsmExceptionEnum.CONNECT_HSM_ERROR;
        }
    }

    public static boolean testHSMConnect() throws Exception {
        if (!isHSMOpen()) {
            return false;
        }
        GMSSLHSMConfig parseConfig = GMSSLHSMConfig.parseConfig(GMSSLHSMConstants.CONFIG_FILE_PATH);
        boolean z = getKeystoreFromServer(parseConfig, false) != null;
        if (logger.isDebugEnabled()) {
            logger.debug("test connect config={}, isConnect={}", parseConfig, Boolean.valueOf(z));
        }
        return z;
    }

    private static GMSSLHSMConfig generateConfig(String str, String str2, String str3, String str4, InputStream inputStream, InputStream inputStream2, InputStream inputStream3) throws IOException {
        GMSSLHSMConfig gMSSLHSMConfig = new GMSSLHSMConfig();
        gMSSLHSMConfig.setIp(str);
        gMSSLHSMConfig.setPort(str2);
        gMSSLHSMConfig.setSignStream(inputStream);
        gMSSLHSMConfig.setSignType("PKCS12");
        gMSSLHSMConfig.setSignProvider("BC");
        gMSSLHSMConfig.setSignPassword(str3);
        gMSSLHSMConfig.setEncStream(inputStream2);
        gMSSLHSMConfig.setEncType("PKCS12");
        gMSSLHSMConfig.setEncProvider("BC");
        gMSSLHSMConfig.setEncPassword(str4);
        gMSSLHSMConfig.setTrustStream(inputStream3);
        gMSSLHSMConfig.setTrustType("PKCS7");
        gMSSLHSMConfig.setTrustProvider("BC");
        gMSSLHSMConfig.setTrustPassword("");
        gMSSLHSMConfig.setKeyStorePassword("xdja1234");
        if (logger.isDebugEnabled()) {
            logger.debug("generate gmssl hsm config {}", gMSSLHSMConfig);
        }
        return gMSSLHSMConfig;
    }

    private static void getKeystore(GMSSLHSMConfig gMSSLHSMConfig) throws Exception {
        KeyStore keystoreFromServer = getKeystoreFromServer(gMSSLHSMConfig, true);
        if (logger.isDebugEnabled()) {
            logger.debug("get gmssl hsm keystore from server keystore isNull {}", Boolean.valueOf(keystoreFromServer == null));
        }
        if (keystoreFromServer == null) {
            keystoreFromServer = getKeystoreFromFile();
            if (logger.isDebugEnabled()) {
                logger.debug("get gmssl hsm keystore from config keystore isNull {}", Boolean.valueOf(keystoreFromServer == null));
            }
            if (keystoreFromServer == null) {
                logger.error("Fail to get keyStore from HSM-SERVER and Can`t find local file. \nNow will be exit.\nYou can You can manually place files under {} and restart application", GMSSLHSMConstants.HSM_KEYSTORE_PATH);
                System.exit(-1);
                return;
            }
        }
        GMSSLPkiCryptoInit.setHsmKeyStore(keystoreFromServer);
        if (logger.isDebugEnabled()) {
            logger.debug("set gmssl hsm keystore success");
        }
    }

    private static KeyStore getKeystoreFromServer(GMSSLHSMConfig gMSSLHSMConfig, boolean z) throws Exception {
        GMSSLHttpsClientConfig gMSSLHttpsClientConfig = new GMSSLHttpsClientConfig();
        KeyStore keyStore = gMSSLHSMConfig.getKeyStore();
        gMSSLHttpsClientConfig.setTrustStore(gMSSLHSMConfig.getTrustKeyStore());
        gMSSLHttpsClientConfig.setTrustStorePassword(gMSSLHSMConfig.getTrustPassword());
        gMSSLHttpsClientConfig.setTrustStoreType("BKS");
        gMSSLHttpsClientConfig.setSslProtocol(GMSSLHSMConstants.SSL_PROTOCOL);
        gMSSLHttpsClientConfig.setClientKeyStoreType("BKS");
        gMSSLHttpsClientConfig.setSslEnabled(true);
        gMSSLHttpsClientConfig.setClientKeyStore(keyStore);
        gMSSLHttpsClientConfig.setClientKeyStorePassword("xdja1234");
        GMSSLHttpsClient gMSSLHttpsClient = new GMSSLHttpsClient(gMSSLHttpsClientConfig);
        GMSSLHttpRequest gMSSLHttpRequest = new GMSSLHttpRequest();
        gMSSLHttpRequest.setUrl(GMSSLHSMConstants.HSM_SERVER_URI.replace(GMSSLHSMConstants.HSM_SERVER_IP_HOLDER, gMSSLHSMConfig.getIp()).replace(GMSSLHSMConstants.HSM_SERVER_PORT_HOLDER, gMSSLHSMConfig.getPort()));
        GMSSLHttpResponse gMSSLHttpResponse = gMSSLHttpsClient.get(gMSSLHttpRequest);
        byte[] body = gMSSLHttpResponse.getBody();
        if (logger.isDebugEnabled()) {
            logger.debug("get gmssl hsm keystore from server response statusCode={},  statusMessage={}", Integer.valueOf(gMSSLHttpResponse.getStatusCode()), gMSSLHttpResponse.getStatusMessage());
        }
        if (gMSSLHttpResponse.getStatusCode() != 200 || body == null) {
            logger.error("get hsm server keyStore error, now use local keyStore! statusCode={}, body isNull={}", Integer.valueOf(gMSSLHttpResponse.getStatusCode()), Boolean.valueOf(body == null));
            return null;
        }
        KeyStore readKeyStoreFromBytes = GMSSLKeyStoreUtils.readKeyStoreFromBytes("xdja1234".toCharArray(), "BKS", body);
        if (z) {
            GMSSLKeyStoreUtils.saveGMSSLKeyStoreFullName(readKeyStoreFromBytes, "xdja1234", GMSSLHSMConstants.HSM_KEYSTORE_PATH);
        }
        return readKeyStoreFromBytes;
    }

    private static KeyStore getKeystoreFromFile() throws Exception {
        if (GMSSLHSMConstants.HSM_KEYSTORE_FILE.exists()) {
            return GMSSLKeyStoreUtils.readKeyStoreFromPath(GMSSLHSMConstants.HSM_KEYSTORE_PATH, "xdja1234".toCharArray());
        }
        return null;
    }

    private static YunHsmExceptionEnum verifyConfig(GMSSLHSMConfig gMSSLHSMConfig) throws Exception {
        YunHsmExceptionEnum verifyKeystorePass = verifyKeystorePass(gMSSLHSMConfig.getSignStream(), gMSSLHSMConfig.getSignPassword(), gMSSLHSMConfig.getEncStream(), gMSSLHSMConfig.getEncPassword());
        return verifyKeystorePass != YunHsmExceptionEnum.NORMAL ? verifyKeystorePass : GMSSLYunHsmUtils.verifyKeyUseAge(gMSSLHSMConfig.getSignStream(), gMSSLHSMConfig.getSignPassword(), gMSSLHSMConfig.getEncStream(), gMSSLHSMConfig.getEncPassword(), gMSSLHSMConfig.getTrustStream());
    }

    private static YunHsmExceptionEnum verifyKeystorePass(InputStream inputStream, String str, InputStream inputStream2, String str2) {
        try {
            KeyStore.getInstance("pkcs12", "BC").load(inputStream, str.toCharArray());
            logger.info("签名PFX 解析成功");
            try {
                KeyStore.getInstance("pkcs12", "BC").load(inputStream2, str2.toCharArray());
                logger.info("加密PFX 解析成功");
                return YunHsmExceptionEnum.NORMAL;
            } catch (Exception e) {
                logger.error("加密证书保护口令不能打开加密证书", (Throwable) e);
                return YunHsmExceptionEnum.ENC_PASSWORD_IS_ERROR;
            }
        } catch (Exception e2) {
            logger.error("签名证书保护口令不能打开加密证书", (Throwable) e2);
            return YunHsmExceptionEnum.SIGN_PASSWORD_IS_ERROR;
        }
    }
}
