package com.xdja.pki.ldap.sdk.ca;

import com.xdja.pki.asn1.issue.TBSIssueRequest;
import com.xdja.pki.asn1.issue.TBSIssueResponse;
import com.xdja.pki.gmssl.crypto.init.GMSSLPkiCryptoInit;
import com.xdja.pki.gmssl.crypto.sdf.SdfCryptoType;
import com.xdja.pki.gmssl.http.GMSSLHttpClient;
import com.xdja.pki.gmssl.http.GMSSLHttpsClient;
import com.xdja.pki.gmssl.http.bean.GMSSLHttpRequest;
import com.xdja.pki.gmssl.http.bean.GMSSLHttpResponse;
import com.xdja.pki.gmssl.http.exception.GMSSLHttpException;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLCryptoType;
import com.xdja.pki.issue.PkixIssueCRL;
import com.xdja.pki.issue.PkixIssueCertStatus;
import com.xdja.pki.issue.PkixIssueReq;
import com.xdja.pki.issue.PkixIssueReqBuilder;
import com.xdja.pki.issue.PkixIssueResp;
import com.xdja.pki.issue.TBSIssueCRLReason;
import com.xdja.pki.ldap.X509Utils;
import com.xdja.pki.ldap.config.HttpRequestHeaderConfig;
import com.xdja.pki.ldap.sdk.ca.bean.BCRequestBean;
import com.xdja.pki.ldap.sdk.ca.bean.YunHsmRequestBean;
import java.io.IOException;
import java.security.KeyPair;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.provider.certpath.X509CertificatePair;

/* loaded from: input_file:com/xdja/pki/ldap/sdk/ca/LDAPCASDK.class */
public class LDAPCASDK {
    private PkixIssueReqBuilder builder;
    private String ldapUrl;
    private String ocspUrl;
    private List<X509Certificate> ldapSignCerts;
    private List<X509Certificate> ocspSignCerts;
    private int time;
    private String reason;
    private X509Certificate userCaCert;
    private boolean isSignByBC;
    private SdfCryptoType sdfCryptoType;
    private Logger logger;
    private List<X509Certificate> caCerts;

    public void setTime(int i) {
        this.time = i;
    }

    public X509Certificate getUserCaCert() {
        return this.userCaCert;
    }

    public void setUserCaCert(X509Certificate x509Certificate) {
        this.userCaCert = x509Certificate;
    }

    public String getLdapUrl() {
        return this.ldapUrl;
    }

    public void setLdapUrl(String str) {
        this.ldapUrl = str;
    }

    public String getOcspUrl() {
        return this.ocspUrl;
    }

    public void setOcspUrl(String str) {
        this.ocspUrl = str;
    }

    public LDAPCASDK(List<X509Certificate> list, KeyPair keyPair, String str, String str2, List<X509Certificate> list2, List<X509Certificate> list3) {
        this.sdfCryptoType = SdfCryptoType.YUNHSM;
        this.logger = LoggerFactory.getLogger(getClass());
        this.ldapSignCerts = list2;
        this.ocspSignCerts = list3;
        this.ldapUrl = str;
        this.ocspUrl = str2;
        this.isSignByBC = true;
        this.caCerts = list;
        this.builder = new PkixIssueReqBuilder(keyPair, list);
    }

    public LDAPCASDK(List<X509Certificate> list, int i, String str, SdfCryptoType sdfCryptoType, String str2, String str3, List<X509Certificate> list2, List<X509Certificate> list3) {
        this.sdfCryptoType = SdfCryptoType.YUNHSM;
        this.logger = LoggerFactory.getLogger(getClass());
        this.ldapSignCerts = list2;
        this.ocspSignCerts = list3;
        this.ldapUrl = str2;
        this.ocspUrl = str3;
        if (str == null) {
            this.isSignByBC = true;
        } else {
            this.isSignByBC = false;
        }
        this.caCerts = list;
        this.sdfCryptoType = sdfCryptoType;
        this.builder = new PkixIssueReqBuilder(i, str, list, sdfCryptoType);
    }

    public LDAPCASDK(BCRequestBean bCRequestBean) {
        this.sdfCryptoType = SdfCryptoType.YUNHSM;
        this.logger = LoggerFactory.getLogger(getClass());
        this.ldapSignCerts = bCRequestBean.getLdapSignCerts();
        this.ocspSignCerts = bCRequestBean.getOcspSignCerts();
        this.ldapUrl = bCRequestBean.getLdapUrl();
        this.ocspUrl = bCRequestBean.getOcspUrl();
        this.isSignByBC = true;
        this.caCerts = bCRequestBean.getCaCerts();
        this.builder = new PkixIssueReqBuilder(bCRequestBean.getCakeyPair(), bCRequestBean.getCaCerts());
    }

    public LDAPCASDK(YunHsmRequestBean yunHsmRequestBean) {
        this.sdfCryptoType = SdfCryptoType.YUNHSM;
        this.logger = LoggerFactory.getLogger(getClass());
        this.ldapSignCerts = yunHsmRequestBean.getLdapSignCerts();
        this.ocspSignCerts = yunHsmRequestBean.getOcspSignCerts();
        this.ldapUrl = yunHsmRequestBean.getLdapUrl();
        this.ocspUrl = yunHsmRequestBean.getOcspUrl();
        if (null == yunHsmRequestBean.getPrivateKeyPassword()) {
            this.isSignByBC = true;
        } else {
            this.isSignByBC = false;
        }
        this.sdfCryptoType = yunHsmRequestBean.getSdfCryptoType();
        this.caCerts = yunHsmRequestBean.getCaCerts();
        this.builder = new PkixIssueReqBuilder(yunHsmRequestBean.getPrivateKeyIndex(), yunHsmRequestBean.getPrivateKeyPassword(), yunHsmRequestBean.getCaCerts(), this.sdfCryptoType);
    }

    public LDAPResponse updateRootCACertificateToLDAP(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3) {
        try {
            return run(this.builder.build(x509Certificate, x509Certificate2, x509Certificate3), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build updateRootCACertificateToLDAP PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse updateRootCACertificateToOCSP(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3) {
        try {
            return run(this.builder.build(x509Certificate, x509Certificate2, x509Certificate3), this.ocspUrl, true);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build updateRootCACertificateToOCSP PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCertificate(X509Certificate x509Certificate) {
        try {
            return run(this.builder.build(x509Certificate), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCertificate PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCertificate(List<X509Certificate> list) {
        try {
            return run(this.builder.buildSendCerts(list), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCertificateList PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCRL(int i, X509CRL x509crl) {
        try {
            return run(this.builder.build(i, x509crl), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCRL  PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCRL(int i, int i2, X509CRL x509crl) {
        try {
            return run(this.builder.build(i, i2, x509crl), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCRL  PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCRL(List<PkixIssueCRL> list) {
        try {
            return run(this.builder.buildSendCrls(list), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCRLList PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCertStatus(TBSIssueCRLReason tBSIssueCRLReason, X509Certificate x509Certificate) {
        try {
            return run(this.builder.build(tBSIssueCRLReason, x509Certificate, this.userCaCert), this.ocspUrl, true);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCertStatus PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCertStatus(TBSIssueCRLReason tBSIssueCRLReason, X509Certificate x509Certificate, Date date) {
        try {
            return run(this.builder.build(tBSIssueCRLReason, x509Certificate, date, this.userCaCert), this.ocspUrl, true);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCertStatus PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCertStatus(List<PkixIssueCertStatus> list) {
        try {
            return run(this.builder.buildSendCertStatuses(list, this.userCaCert), this.ocspUrl, true);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCertStatusList PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCrossCertificate(X509CertificatePair x509CertificatePair) {
        try {
            return run(this.builder.build(x509CertificatePair), this.ldapUrl, false);
        } catch (Exception e) {
            this.logger.error("构建PkixIsuse结构体失败", e);
            this.reason = MessageFormat.format("can not build sendCrossCertificate PkixisssueReq, {0}", e.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCrossCertificateIssueToThisCA(X509Certificate x509Certificate) {
        try {
            try {
                return run(this.builder.buildForward(new X509CertificatePair(x509Certificate, (X509Certificate) null)), this.ldapUrl, false);
            } catch (Exception e) {
                this.logger.error("构建PkixIsuse结构体失败", e);
                this.reason = MessageFormat.format("can not build sendCrossCertificateToCA PkixisssueReq, {0}", e.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (CertificateException e2) {
            this.logger.error("不能使用该证书构造交叉证书对", e2);
            this.reason = MessageFormat.format("can not use IssueToThisCA  build X509CertificatePair, {0}", e2.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCrossCertificateIssueByThisCA(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            try {
                return run(this.builder.buildReserve(new X509CertificatePair((X509Certificate) null, x509Certificate), x509Certificate2), this.ldapUrl, false);
            } catch (Exception e) {
                this.logger.error("构建PkixIsuse结构体失败", e);
                this.reason = MessageFormat.format("can not build sendCrossCertificateToCA PkixisssueReq, {0}", e.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (CertificateException e2) {
            this.logger.error("不能使用该证书构造交叉证书对", e2);
            this.reason = MessageFormat.format("can not use IssueByThisCA  build X509CertificatePair, {0}", e2.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCrossCertificateIssueByThisCA(X509Certificate x509Certificate) {
        try {
            try {
                return run(this.builder.build(new X509CertificatePair((X509Certificate) null, x509Certificate)), this.ldapUrl, false);
            } catch (Exception e) {
                this.logger.error("构建PkixIsuse结构体失败", e);
                this.reason = MessageFormat.format("can not build sendCrossCertificateByCA PkixisssueReq, {0}", e.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (CertificateException e2) {
            this.logger.error("不能使用该证书构造交叉证书对", e2);
            this.reason = MessageFormat.format("can not use IssueByThisCA  build X509CertificatePair, {0}", e2.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse sendCrossCertificate(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            try {
                return run(this.builder.build(new X509CertificatePair(x509Certificate, x509Certificate2)), this.ldapUrl, false);
            } catch (Exception e) {
                this.logger.error("构建PkixIsuse结构体失败", e);
                this.reason = MessageFormat.format("can not build sendCrossCertificate PkixisssueReq, {0}", e.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (CertificateException e2) {
            this.logger.error("不能使用这两个证书构造交叉证书对", e2);
            this.reason = MessageFormat.format("can not use these two certs build X509CertificatePair, {0}", e2.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    private LDAPResponse run(PkixIssueReq pkixIssueReq, String str, boolean z) {
        GMSSLHttpClient gMSSLHttpsClient;
        GMSSLHttpRequest gMSSLHttpRequest = new GMSSLHttpRequest();
        gMSSLHttpRequest.setUrl(str);
        gMSSLHttpRequest.setHeaders(HttpRequestHeaderConfig.getHeaders());
        if (str.startsWith("https")) {
            try {
                X509Certificate[] x509CertificateArr = new X509Certificate[this.caCerts.size()];
                for (int i = 0; i < this.caCerts.size(); i++) {
                    x509CertificateArr[i] = this.caCerts.get(i);
                }
                String sigAlgName = this.caCerts.get(0).getSigAlgName();
                long currentTimeMillis = System.currentTimeMillis();
                if (!this.isSignByBC && sigAlgName.contains("SM2") && GMSSLCryptoType.XDJA_HSM == GMSSLPkiCryptoInit.getCryptoType()) {
                    gMSSLHttpsClient = new GMSSLHttpsClient(x509CertificateArr, this.sdfCryptoType == SdfCryptoType.YUNHSM);
                    this.logger.error("run-----------------------period:=" + (System.currentTimeMillis() - currentTimeMillis));
                } else {
                    gMSSLHttpsClient = new GMSSLHttpsClient(x509CertificateArr);
                }
            } catch (GMSSLHttpException e) {
                this.logger.error("构造 trust keystore 异常", e);
                this.reason = MessageFormat.format("generate trust keystore is failure, {0}", e.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } else {
            if (!str.startsWith("http")) {
                this.logger.error("传入的url格式异常" + str);
                this.reason = MessageFormat.format("url type is error url = {0}", str);
                return new LDAPResponse(false, this.reason);
            }
            gMSSLHttpsClient = new GMSSLHttpClient();
        }
        try {
            gMSSLHttpRequest.setBody(pkixIssueReq.getEncoded());
            try {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("start send post request, url = {}", str);
                }
                long currentTimeMillis2 = System.currentTimeMillis();
                GMSSLHttpResponse post = gMSSLHttpsClient.post(gMSSLHttpRequest);
                this.logger.error("run------post-----------------period:=" + (System.currentTimeMillis() - currentTimeMillis2));
                if (post.getStatusCode() >= 400 && post.getStatusCode() < 500) {
                    this.logger.error("请求参数有误");
                    this.reason = "bad request";
                    return new LDAPResponse(false, this.reason);
                }
                if (post.getStatusCode() >= 500 && post.getStatusCode() < 600) {
                    this.logger.error("服务器初始化错误");
                    this.reason = "Internal Server Error";
                    return new LDAPResponse(false, this.reason);
                }
                try {
                    PkixIssueResp pkixIssueResp = new PkixIssueResp(post.getBody());
                    TBSIssueResponse tBSIssue = pkixIssueResp.getPkixIssue().getTBSIssue();
                    TBSIssueRequest tBSIssue2 = pkixIssueReq.getPkixIssue().getTBSIssue();
                    try {
                        if (pkixIssueResp.getStatus().getType() == 1) {
                            this.logger.error("返回状态码有误，请重新发送数据 ");
                            this.reason = "response status code is error, please resend";
                            return new LDAPResponse(false, this.reason);
                        }
                        if (!PkixIssueResp.verifyType(tBSIssue2, tBSIssue)) {
                            this.logger.error("请求结构体和响应结构体的type不相同");
                            this.reason = "request struct's type is not equals response struct's type";
                            return new LDAPResponse(false, this.reason);
                        }
                        if (!PkixIssueResp.verifyNumber(tBSIssue2, tBSIssue)) {
                            this.logger.error("请求结构体和响应结构体的number不相同");
                            this.reason = "request struct's number is not equals response struct's number";
                            return new LDAPResponse(false, this.reason);
                        }
                        if (!PkixIssueResp.verifyTranNonce(tBSIssue2, tBSIssue)) {
                            this.logger.error("请求结构体和相应结构体的随机数不相同");
                            this.reason = "request struct's transNonce is not equals response struct's tranNonce";
                            return new LDAPResponse(false, this.reason);
                        }
                        try {
                            if (!PkixIssueResp.verifyTime(tBSIssue, this.time)) {
                                this.logger.error("收到相应的时间超过了设定时间");
                                this.reason = "timeout";
                                return new LDAPResponse(false, this.reason);
                            }
                            try {
                                long currentTimeMillis3 = System.currentTimeMillis();
                                boolean verifySign = PkixIssueResp.verifySign(pkixIssueResp, this.caCerts, z, this.ocspSignCerts, this.ldapSignCerts, this.isSignByBC, this.sdfCryptoType);
                                this.logger.error("ldap sdk ----------verifySign: period=" + (System.currentTimeMillis() - currentTimeMillis3));
                                if (verifySign) {
                                    this.logger.info("----------操作成功-----------");
                                    return new LDAPResponse(true, "success");
                                }
                                this.logger.error("响应结构体签名无效");
                                this.reason = "signature is not valid";
                                return new LDAPResponse(false, this.reason);
                            } catch (Exception e2) {
                                this.logger.error("无法进行验签", e2);
                                this.reason = MessageFormat.format("can not verify signature, {0}", e2.getMessage());
                                return new LDAPResponse(false, this.reason);
                            }
                        } catch (ParseException e3) {
                            this.logger.error("无法从响应结构体得到相应时间", e3);
                            this.reason = MessageFormat.format("can not get response body time, {0}", e3.getMessage());
                            return new LDAPResponse(false, this.reason);
                        }
                    } catch (Exception e4) {
                        this.logger.error("未知的返回状态", e4);
                        this.reason = MessageFormat.format("unknown response status code type , {0}", e4.getMessage());
                        return new LDAPResponse(false, this.reason);
                    }
                } catch (Exception e5) {
                    this.logger.error("不能解析PkixIssueRessp结构体 ", e5);
                    this.reason = MessageFormat.format("can not resolve this response struct, {0}", e5.getMessage());
                    return new LDAPResponse(false, this.reason);
                }
            } catch (Exception e6) {
                this.logger.error("连接服务器失败, ", e6);
                this.reason = MessageFormat.format("Connection refused, {0}", e6.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (IOException e7) {
            this.logger.error("PkixIsuse转换二进制失败", e7);
            this.reason = MessageFormat.format("pkixIssueReq getEncode is failure, {0}", e7.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }

    public LDAPResponse run(String str, String str2) {
        GMSSLHttpClient gMSSLHttpsClient;
        GMSSLHttpRequest gMSSLHttpRequest = new GMSSLHttpRequest();
        gMSSLHttpRequest.setUrl(str2);
        gMSSLHttpRequest.setHeaders(HttpRequestHeaderConfig.getHeaders());
        HashMap hashMap = new HashMap();
        try {
            hashMap.put("keyStr", X509Utils.getKeyFromCertificate(this.caCerts.get(0)));
            hashMap.put("sign", str);
            if (str2.startsWith("https")) {
                try {
                    X509Certificate[] x509CertificateArr = new X509Certificate[this.caCerts.size()];
                    for (int i = 0; i < this.caCerts.size(); i++) {
                        x509CertificateArr[i] = this.caCerts.get(i);
                    }
                    gMSSLHttpsClient = (!this.isSignByBC && this.caCerts.get(0).getSigAlgName().contains("SM2") && GMSSLCryptoType.XDJA_HSM == GMSSLPkiCryptoInit.getCryptoType()) ? new GMSSLHttpsClient(x509CertificateArr, this.sdfCryptoType == SdfCryptoType.YUNHSM) : new GMSSLHttpsClient(x509CertificateArr);
                } catch (GMSSLHttpException e) {
                    this.logger.error("构造 trust keystore 异常", e);
                    this.reason = MessageFormat.format("generate trust keystore is failure, {0}", e.getMessage());
                    return new LDAPResponse(false, this.reason);
                }
            } else {
                if (!str2.startsWith("http")) {
                    this.logger.error("传入的url格式异常" + str2);
                    this.reason = MessageFormat.format("url type is error url = {0}", str2);
                    return new LDAPResponse(false, this.reason);
                }
                gMSSLHttpsClient = new GMSSLHttpClient();
            }
            try {
                gMSSLHttpRequest.setParams(hashMap);
                GMSSLHttpResponse post = gMSSLHttpsClient.post(gMSSLHttpRequest);
                if (post.getStatusCode() >= 400 && post.getStatusCode() < 500) {
                    this.logger.error("请求参数有误");
                    this.reason = "bad request";
                    return new LDAPResponse(false, this.reason);
                }
                if (post.getStatusCode() < 500 || post.getStatusCode() >= 600) {
                    return new LDAPResponse(true, "success");
                }
                this.logger.error("服务器初始化错误");
                this.reason = "Internal Server Error";
                return new LDAPResponse(false, this.reason);
            } catch (Exception e2) {
                this.logger.error("连接服务器失败, ", e2);
                this.reason = MessageFormat.format("Connection refused, {0}", e2.getMessage());
                return new LDAPResponse(false, this.reason);
            }
        } catch (Exception e3) {
            this.logger.error("构造 trust keystore 异常", e3);
            this.reason = MessageFormat.format("generate trust keystore is failure, {0}", e3.getMessage());
            return new LDAPResponse(false, this.reason);
        }
    }
}
