package com.xdja.pki.ldap.controller;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import com.xdja.pki.gmssl.core.utils.GMSSLBCSignUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLByteArrayUtils;
import com.xdja.pki.gmssl.crypto.sdf.SdfCryptoType;
import com.xdja.pki.gmssl.crypto.utils.GMSSLECSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLSignatureAlgorithm;
import com.xdja.pki.issue.PkixIssueReq;
import com.xdja.pki.issue.PkixIssueRespBuilder;
import com.xdja.pki.issue.TBSIssueResponseStatus;
import com.xdja.pki.ldap.CryptoTypeStr;
import com.xdja.pki.ldap.X509Utils;
import com.xdja.pki.ldap.config.ErrorEnum;
import com.xdja.pki.ldap.config.LDAPConfiguration;
import com.xdja.pki.ldap.service.OpenLDAPService;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/api/v1/ldapserver"})
@RestController
/* loaded from: input_file:WEB-INF/classes/com/xdja/pki/ldap/controller/LDAPController.class */
public class LDAPController {

    @Autowired
    private LDAPConfiguration ldapConfiguration;

    @Autowired
    private OpenLDAPService openLDAPService;
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Deprecated
    public byte[] pkixissue(@RequestBody byte[] bArr, HttpServletResponse httpServletResponse) {
        PkixIssueRespBuilder pkixIssueRespBuilder;
        this.logger.info("------------访问服务器成功------------");
        try {
            List<X509Certificate> caCerts = this.ldapConfiguration.getCaCerts();
            if (CryptoTypeStr.YUNHSM.equalsIgnoreCase(this.ldapConfiguration.getCryptoType())) {
                if (this.ldapConfiguration.getPrivateKeyPassword() == null) {
                    pkixIssueRespBuilder = new PkixIssueRespBuilder(this.ldapConfiguration.getPrivateKeyIndex(), this.ldapConfiguration.getPrivateKeyPassword(), caCerts, SdfCryptoType.YUNHSM, this.ldapConfiguration.getSignKey());
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("使用加密机验签");
                    }
                } else {
                    pkixIssueRespBuilder = new PkixIssueRespBuilder(this.ldapConfiguration.getPrivateKeyIndex(), this.ldapConfiguration.getPrivateKeyPassword(), caCerts, SdfCryptoType.YUNHSM);
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("使用加密机验签");
                    }
                }
            } else if (CryptoTypeStr.PCIE.equalsIgnoreCase(this.ldapConfiguration.getCryptoType())) {
                pkixIssueRespBuilder = new PkixIssueRespBuilder(this.ldapConfiguration.getPrivateKeyIndex(), this.ldapConfiguration.getPrivateKeyPassword(), caCerts, SdfCryptoType.PCIE);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("使用PCIE卡验签");
                }
            } else {
                if (!CryptoTypeStr.BC.equalsIgnoreCase(this.ldapConfiguration.getCryptoType())) {
                    this.logger.error("配置文件验签方式配置有误");
                    httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                    return new byte[0];
                }
                pkixIssueRespBuilder = new PkixIssueRespBuilder(this.ldapConfiguration.getSignKey(), caCerts);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("使用BC模式验签");
                }
            }
            try {
                PkixIssueReq pkixIssueReq = new PkixIssueReq(bArr);
                this.logger.info("请求结构体类型为 {}", pkixIssueReq.getTBSIssueType());
                if (CryptoTypeStr.PCIE.equalsIgnoreCase(this.ldapConfiguration.getCryptoType())) {
                    if (!pkixIssueReq.verifySignatureBySdf(caCerts, SdfCryptoType.PCIE)) {
                        this.logger.error("请求结构体签名无效");
                        return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, this.ldapConfiguration.getSignCert().getSigAlgName()).getEncoded();
                    }
                } else if (CryptoTypeStr.YUNHSM.equalsIgnoreCase(this.ldapConfiguration.getCryptoType())) {
                    if (this.ldapConfiguration.getPrivateKeyPassword() != null) {
                        if (!pkixIssueReq.verifySignatureBySdf(caCerts, SdfCryptoType.YUNHSM)) {
                            this.logger.error("请求结构体签名无效");
                            return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, this.ldapConfiguration.getSignCert().getSigAlgName()).getEncoded();
                        }
                    } else if (!pkixIssueReq.verifySignatureByBC(caCerts)) {
                        this.logger.error("请求结构体签名无效");
                        return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, this.ldapConfiguration.getSignCert().getSigAlgName()).getEncoded();
                    }
                } else if (!pkixIssueReq.verifySignatureByBC(caCerts)) {
                    this.logger.error("请求结构体签名无效");
                    return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, this.ldapConfiguration.getSignCert().getSigAlgName()).getEncoded();
                }
                try {
                    return this.openLDAPService.pkixIssue(pkixIssueReq, pkixIssueRespBuilder);
                } catch (Exception e) {
                    this.logger.error("向LDAP存储失败 ", (Throwable) e);
                    httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                    return new byte[0];
                }
            } catch (Exception e2) {
                this.logger.error("无法解析请求结构体 ", (Throwable) e2);
                httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
                return new byte[0];
            }
        } catch (Exception e3) {
            this.logger.error("读取配置证书失败", (Throwable) e3);
            httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
            return new byte[0];
        }
    }

    @PostMapping({"/pkixissue"})
    public byte[] pkixIssue(@RequestBody byte[] bArr, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        PkixIssueRespBuilder pkixIssueRespBuilder;
        try {
            PkixIssueReq pkixIssueReq = new PkixIssueReq(bArr);
            try {
                String keyFromCertificate = X509Utils.getKeyFromCertificate(X509Utils.getCertFromSignature(pkixIssueReq.issue.getSignature()));
                List<List<X509Certificate>> allCAListFromPath = this.ldapConfiguration.getAllCAListFromPath(this.ldapConfiguration.getCaCert());
                Map<String, Object> cAToLDAPMap = this.ldapConfiguration.getCAToLDAPMap(allCAListFromPath);
                List<Object> list = (List) cAToLDAPMap.get(keyFromCertificate);
                if (list == null || list.isEmpty()) {
                    list = X509Utils.getListFromCAToOCSPMap(cAToLDAPMap, allCAListFromPath, keyFromCertificate);
                }
                if (list == null || list.isEmpty()) {
                    this.logger.error("签名CA证书未配置");
                    httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                    return new byte[0];
                }
                List<X509Certificate> list2 = (List) list.get(0);
                this.logger.info("------------访问服务器成功------------");
                String cryptoType = this.ldapConfiguration.getCryptoType();
                X509Certificate x509Certificate = (X509Certificate) list.get(1);
                String str = (!CryptoTypeStr.YUNHSM.equalsIgnoreCase(cryptoType) || x509Certificate.getSigAlgName().contains("SM2")) ? cryptoType : CryptoTypeStr.BC;
                this.ldapConfiguration.initInstance(str);
                Object obj = list.get(2);
                try {
                    if (CryptoTypeStr.YUNHSM.equalsIgnoreCase(str)) {
                        if (this.ldapConfiguration.getPrivateKeyPassword() == null) {
                            pkixIssueRespBuilder = new PkixIssueRespBuilder(this.ldapConfiguration.getPrivateKeyIndex(), this.ldapConfiguration.getPrivateKeyPassword(), list2, SdfCryptoType.YUNHSM, (KeyPair) obj);
                            if (this.logger.isDebugEnabled()) {
                                this.logger.debug("使用加密机验签");
                            }
                        } else {
                            String[] strArr = (String[]) obj;
                            pkixIssueRespBuilder = new PkixIssueRespBuilder(Integer.parseInt(strArr[0]), strArr[1], list2, SdfCryptoType.YUNHSM);
                            if (this.logger.isDebugEnabled()) {
                                this.logger.debug("使用加密机验签");
                            }
                        }
                    } else if (CryptoTypeStr.PCIE.equalsIgnoreCase(str)) {
                        String[] strArr2 = (String[]) obj;
                        pkixIssueRespBuilder = new PkixIssueRespBuilder(Integer.parseInt(strArr2[0]), strArr2[1], list2, SdfCryptoType.PCIE);
                        if (this.logger.isDebugEnabled()) {
                            this.logger.debug("使用PCIE卡验签");
                        }
                    } else {
                        if (!CryptoTypeStr.BC.equalsIgnoreCase(str)) {
                            this.logger.error("配置文件验签方式配置有误");
                            httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                            return new byte[0];
                        }
                        pkixIssueRespBuilder = new PkixIssueRespBuilder((KeyPair) obj, list2);
                        if (this.logger.isDebugEnabled()) {
                            this.logger.debug("使用BC模式验签");
                        }
                    }
                    try {
                        this.logger.info("请求结构体类型为 {}", pkixIssueReq.getTBSIssueType());
                        if (CryptoTypeStr.PCIE.equalsIgnoreCase(str)) {
                            if (!pkixIssueReq.verifySignatureBySdf(list2, SdfCryptoType.PCIE)) {
                                this.logger.error("请求结构体签名无效");
                                return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, x509Certificate).getEncoded();
                            }
                        } else if (CryptoTypeStr.YUNHSM.equalsIgnoreCase(str)) {
                            if (this.ldapConfiguration.getPrivateKeyPassword() != null) {
                                if (!pkixIssueReq.verifySignatureBySdf(list2, SdfCryptoType.YUNHSM)) {
                                    this.logger.error("请求结构体签名无效");
                                    return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, x509Certificate).getEncoded();
                                }
                            } else if (!pkixIssueReq.verifySignatureByBC(list2)) {
                                this.logger.error("请求结构体签名无效");
                                return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, x509Certificate).getEncoded();
                            }
                        } else if (!pkixIssueReq.verifySignatureByBC(list2)) {
                            this.logger.error("请求结构体签名无效");
                            return pkixIssueRespBuilder.build(pkixIssueReq, TBSIssueResponseStatus.Error, x509Certificate).getEncoded();
                        }
                        try {
                            return this.openLDAPService.pkixIssue(pkixIssueReq, pkixIssueRespBuilder, x509Certificate);
                        } catch (Exception e) {
                            this.logger.error("向LDAP存储失败 ", (Throwable) e);
                            httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                            return new byte[0];
                        }
                    } catch (Exception e2) {
                        this.logger.error("无法解析请求结构体 ", (Throwable) e2);
                        httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
                        return new byte[0];
                    }
                } catch (Exception e3) {
                    this.logger.error("读取配置证书失败", (Throwable) e3);
                    httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
                    return new byte[0];
                }
            } catch (Exception e4) {
                this.logger.error("获取签名CA证书异常", (Throwable) e4);
                httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
                return new byte[0];
            }
        } catch (Exception e5) {
            this.logger.error("无法解析请求结构体 ", (Throwable) e5);
            httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
            return new byte[0];
        }
    }

    @RequestMapping(value = {"/pkixissue/test"}, method = {RequestMethod.POST})
    public Object caConnectLDAPTest(@RequestParam String str, String str2, HttpServletResponse httpServletResponse) {
        try {
            List<List<X509Certificate>> allCAListFromPath = this.ldapConfiguration.getAllCAListFromPath(this.ldapConfiguration.getCaCert());
            Map<String, Object> cAToLDAPMap = this.ldapConfiguration.getCAToLDAPMap(allCAListFromPath);
            List<Object> list = (List) cAToLDAPMap.get(str2);
            if (list == null || list.isEmpty()) {
                list = X509Utils.getListFromCAToOCSPMap(cAToLDAPMap, allCAListFromPath, str2);
            }
            String cryptoType = this.ldapConfiguration.getCryptoType();
            List<X509Certificate> list2 = (List) list.get(0);
            if (list2 == null || list2.isEmpty()) {
                this.logger.error("签名CA证书未配置");
                return ErrorEnum.LDAP_INTERNAL_EXCEPTION.resp(httpServletResponse);
            }
            if (!verifyTestSign(str.replace(MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR, "+"), (!CryptoTypeStr.YUNHSM.equalsIgnoreCase(cryptoType) || list2.get(0).getSigAlgName().contains("SM2")) ? cryptoType : CryptoTypeStr.BC, list2)) {
                this.logger.error("测试LDAP连通验签失败");
                return ErrorEnum.SIGN_VERIFY_FAIL.resp(httpServletResponse);
            }
            this.logger.info("测试LDAP连通验签通过");
            this.logger.info("测试LDAP连通性通过");
            return null;
        } catch (Exception e) {
            this.logger.error("测试LDAP连通出现异常", (Throwable) e);
            return ErrorEnum.LDAP_INTERNAL_EXCEPTION.resp(httpServletResponse);
        }
    }

    private boolean verifyTestSign(String str, String str2, List<X509Certificate> list) throws Exception {
        String sigAlgName = list.get(list.size() - 1).getSigAlgName();
        if (CryptoTypeStr.BC.equalsIgnoreCase(str2)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("使用BC进行验签");
            }
            return verifySignatureByBC(list, sigAlgName, "LDAP", str);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("使用HSM进行验签");
        }
        return verifySignatureBySdf(list, SdfCryptoType.YUNHSM, "LDAP", str);
    }

    public boolean verifySignatureByBC(List<X509Certificate> list, String str, String str2, String str3) throws Exception {
        for (int i = 0; i < list.size(); i++) {
            if (verifySignatureByBC(list.get(i).getPublicKey(), str, str2, str3)) {
                return true;
            }
        }
        return false;
    }

    public boolean verifySignatureBySdf(List<X509Certificate> list, SdfCryptoType sdfCryptoType, String str, String str2) throws Exception {
        for (int i = 0; i < list.size(); i++) {
            if (verifySignatureBySdf(list.get(i).getPublicKey(), list.get(i).getSigAlgName(), sdfCryptoType, str, str2)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifySignatureBySdf(PublicKey publicKey, String str, SdfCryptoType sdfCryptoType, String str2, String str3) throws Exception {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("通过 {} 进行验签", sdfCryptoType.name());
        }
        String base64String = Base64.toBase64String(str2.getBytes());
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SM3_WITH_SM2.getSigAlgName())) {
            return GMSSLSM2SignUtils.verifyBySdf(sdfCryptoType, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA1_WITH_RSA.getSigAlgName()) || str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName())) {
            return GMSSLRSASignUtils.verifyByYunHsm(str, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_ECDSA.getSigAlgName())) {
            return GMSSLECSignUtils.verifyByYunHsm(publicKey, base64String, str3, str);
        }
        this.logger.error("暂未未找到 {} 类型验签方式", str);
        throw new Exception(String.format("can't get verify sign with %s type", str));
    }

    private boolean verifySignatureByBC(PublicKey publicKey, String str, String str2, String str3) throws Exception {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("通过BC进行验签");
        }
        String base64String = Base64.toBase64String(str2.getBytes());
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SM3_WITH_SM2.getSigAlgName())) {
            return GMSSLSM2SignUtils.verifyByBC(publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA1_WITH_RSA.getSigAlgName()) || str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName())) {
            return GMSSLRSASignUtils.verifyByBC(str, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_ECDSA.getSigAlgName())) {
            return GMSSLBCSignUtils.verifySignature(str, publicKey, GMSSLByteArrayUtils.base64Decode(base64String), GMSSLByteArrayUtils.base64Decode(str3));
        }
        this.logger.error("暂未未找到 {} 类型验签方式", str);
        throw new Exception(String.format("can't get verify sign with %s type", str));
    }
}
