package com.xdja.pki.ocsp.certmanager.web.api;

import com.xdja.pki.asn1.issue.CertStatus;
import com.xdja.pki.gmssl.core.utils.GMSSLBCSignUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLByteArrayUtils;
import com.xdja.pki.gmssl.crypto.sdf.SdfCryptoType;
import com.xdja.pki.gmssl.crypto.utils.GMSSLECSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLSignatureAlgorithm;
import com.xdja.pki.issue.PkixIssueReq;
import com.xdja.pki.issue.PkixIssueResp;
import com.xdja.pki.issue.PkixIssueRespBuilder;
import com.xdja.pki.issue.TBSIssueResponseStatus;
import com.xdja.pki.issue.TBSIssueType;
import com.xdja.pki.ocsp.certmanager.service.certstatus.UpdateCertStatusService;
import com.xdja.pki.ocsp.certmanager.service.model.BaseIssueModel;
import com.xdja.pki.ocsp.certmanager.service.model.CertId;
import com.xdja.pki.ocsp.certmanager.service.model.CertModel;
import com.xdja.pki.ocsp.certmanager.service.model.CertStatusModel;
import com.xdja.pki.ocsp.core.Constants;
import com.xdja.pki.ocsp.core.common.ErrorEnum;
import com.xdja.pki.ocsp.core.ocsp.util.CalcIssuerIdHashUtil;
import com.xdja.pki.ocsp.hsm.crypt.manager.PkixIssueRespBuilderManager;
import com.xdja.pki.ocsp.hsm.crypt.manager.SignAndVerifyManager;
import java.io.IOException;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.bouncycastle.asn1.ocsp.CertID;
import org.bouncycastle.util.Strings;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RestController
/* loaded from: input_file:WEB-INF/classes/com/xdja/pki/ocsp/certmanager/web/api/CertStatusSyncController.class */
public class CertStatusSyncController {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    private SignAndVerifyManager signAndVerifyManager;

    @Autowired
    private PkixIssueRespBuilderManager pkixIssueRespBuilderManager;

    @Autowired
    private UpdateCertStatusService updateCertStatusService;

    @RequestMapping(value = {"/certStatusSync"}, method = {RequestMethod.POST}, produces = {"application/pkixissue"}, consumes = {"application/pkixissue"})
    public byte[] certStatusSync(@RequestBody byte[] bArr, HttpServletRequest httpServletRequest) {
        String str;
        String parameter = httpServletRequest.getParameter("sdfCryptoType");
        if (httpServletRequest.getParameter("signAlgName").contains("SM2") && "YUNHSM".equalsIgnoreCase(parameter)) {
            str = "YUNHSM";
            Constants.CRYPT_DEVICE_TYPE = 1;
        } else {
            str = Constants.PROVIDER;
            Constants.CRYPT_DEVICE_TYPE = 2;
        }
        String parameter2 = httpServletRequest.getParameter("keyStr");
        this.logger.debug("收到证书状态同步请求[{}]", Base64.toBase64String(bArr));
        try {
            PkixIssueReq pkixIssueReq = new PkixIssueReq(bArr);
            TBSIssueType tBSIssueType = null;
            List<CertStatus> list = null;
            List<Object> list2 = (List) Constants.CA_TO_OCSP_MAP.get(parameter2);
            List<X509Certificate> list3 = (List) list2.get(0);
            Constants.ISSUERCERT = list3;
            Constants.OCSP_SIGN_CERT = (X509Certificate) list2.get(1);
            if ("YUNHSM".equalsIgnoreCase(str)) {
                String[] strArr = (String[]) list2.get(2);
                Constants.PRIVATE_KEY_INDEX = Integer.parseInt(strArr[0]);
                Constants.PRIVATE_KEY_PASSWORD = strArr[1];
            } else {
                Constants.SIGN_CERT_KEYPAIR = (KeyPair) list2.get(2);
            }
            try {
                if (!this.signAndVerifyManager.verifyPkixIssueSign(list3, pkixIssueReq, str)) {
                    this.logger.error("pkixIssueReq 验签失败");
                    return pkixIssueRespBuild(pkixIssueReq, TBSIssueResponseStatus.Error, null, list2).getEncoded();
                }
                PkixIssueRespBuilder builderPkixIssueRespBuilder = this.pkixIssueRespBuilderManager.builderPkixIssueRespBuilder(list2, str);
                try {
                    tBSIssueType = pkixIssueReq.getTBSIssueType();
                    if (TBSIssueType.SEND_CERTIFICATE_STATUS.equals(tBSIssueType)) {
                        list = pkixIssueReq.getCertStatusList();
                    } else {
                        if (!TBSIssueType.UPDATE_ROOT_CERTIFICATE.equals(tBSIssueType)) {
                            this.logger.error("IssueType 类型不匹配[{}]", tBSIssueType);
                            return pkixIssueRespBuild(pkixIssueReq, TBSIssueResponseStatus.Error, builderPkixIssueRespBuilder, list2).getEncoded();
                        }
                        list = pkixIssueReq.getCertificateList();
                    }
                } catch (Exception e) {
                    this.logger.error("PkixIssueReq 解析错误", (Throwable) e);
                }
                byte[] bArr2 = null;
                try {
                    bArr2 = (this.updateCertStatusService.updateCertStatus(tBSIssueType.getType(), buildBaseIssueModel(tBSIssueType, list)) == 0 ? pkixIssueRespBuild(pkixIssueReq, TBSIssueResponseStatus.Normal, builderPkixIssueRespBuilder, list2) : pkixIssueRespBuild(pkixIssueReq, TBSIssueResponseStatus.Error, builderPkixIssueRespBuilder, list2)).getEncoded();
                } catch (IOException e2) {
                    this.logger.error("PkixIssueResp 解码错误", (Throwable) e2);
                }
                return bArr2;
            } catch (Exception e3) {
                this.logger.error("pkixIssueReq 验签异常，", (Throwable) e3);
                return null;
            }
        } catch (IOException e4) {
            this.logger.error("pkixIssueReq转换错误，", (Throwable) e4);
            return null;
        }
    }

    private List<BaseIssueModel> buildBaseIssueModel(TBSIssueType tBSIssueType, List<?> list) {
        ArrayList arrayList = new ArrayList();
        if (list == null || list.isEmpty()) {
            return null;
        }
        if (TBSIssueType.SEND_CERTIFICATE_STATUS.equals(tBSIssueType)) {
            for (Object obj : list) {
                CertStatusModel certStatusModel = new CertStatusModel();
                CertStatus certStatus = (CertStatus) obj;
                certStatusModel.setCertId(getCertId(certStatus.getCertId()));
                try {
                    certStatusModel.setBeforTime(certStatus.getBeforeTime().getDate());
                    certStatusModel.setEndTime(certStatus.getEndTime().getDate());
                    certStatusModel.setStatusTime(certStatus.getStatusTime().getDate());
                } catch (ParseException e) {
                    this.logger.error("时间格式转换错误，", (Throwable) e);
                }
                certStatusModel.setCertStatus(certStatus.getStatus().getValue().intValue());
                certStatusModel.setStatusReasonCode(certStatus.getStatusReasonRode().getValue().intValue());
                arrayList.add(certStatusModel);
            }
        } else if (TBSIssueType.UPDATE_ROOT_CERTIFICATE.equals(tBSIssueType)) {
            for (Object obj2 : list) {
                CertModel certModel = new CertModel();
                certModel.setCertificate((X509Certificate) obj2);
                arrayList.add(certModel);
            }
        }
        return arrayList;
    }

    private CertId getCertId(CertID certID) {
        CertId certId = null;
        if (certID != null) {
            certId = new CertId();
            certId.setHashAlogorithm(certID.getHashAlgorithm().getAlgorithm().getId());
            String fromByteArray = Strings.fromByteArray(Hex.encode(certID.getIssuerNameHash().getOctets()));
            String fromByteArray2 = Strings.fromByteArray(Hex.encode(certID.getIssuerKeyHash().getOctets()));
            certId.setIssuerNameHash(fromByteArray);
            certId.setIssuerPubkeyHash(fromByteArray2);
            certId.setIssuerIdHash(CalcIssuerIdHashUtil.calcIssuerIdHash(certID.getHashAlgorithm().getAlgorithm(), fromByteArray, fromByteArray2));
            certId.setCertSn(certID.getSerialNumber().getValue().toString(16));
        }
        return certId;
    }

    private PkixIssueResp pkixIssueRespBuild(PkixIssueReq pkixIssueReq, TBSIssueResponseStatus tBSIssueResponseStatus, PkixIssueRespBuilder pkixIssueRespBuilder) {
        PkixIssueResp pkixIssueResp = null;
        try {
            pkixIssueResp = pkixIssueRespBuilder.build(pkixIssueReq, tBSIssueResponseStatus, Constants.OCSP_SIGN_CERT.getSigAlgName());
        } catch (Exception e) {
            this.logger.error("pkixissueResp 构造错误，", (Throwable) e);
        }
        return pkixIssueResp;
    }

    private PkixIssueResp pkixIssueRespBuild(PkixIssueReq pkixIssueReq, TBSIssueResponseStatus tBSIssueResponseStatus, PkixIssueRespBuilder pkixIssueRespBuilder, List<Object> list) {
        PkixIssueResp pkixIssueResp = null;
        try {
            pkixIssueResp = pkixIssueRespBuilder.build(pkixIssueReq, tBSIssueResponseStatus, (X509Certificate) list.get(1));
        } catch (Exception e) {
            this.logger.error("pkixissueResp 构造错误，", (Throwable) e);
        }
        return pkixIssueResp;
    }

    @RequestMapping(value = {"/test"}, method = {RequestMethod.GET})
    public Object caConnectLDAPTest(@RequestParam String str, String str2, String str3, HttpServletResponse httpServletResponse) {
        try {
            if (!verifyTestSign(str.replace(" ", "+"), str2, (List) ((List) Constants.CA_TO_OCSP_MAP.get(str3)).get(0))) {
                this.logger.error("测试OCSP连通验签失败");
                return ErrorEnum.SIGN_VERIFY_FAIL.resp(httpServletResponse);
            }
            this.logger.info("测试OCSP连通验签通过");
            this.logger.info("测试OCSP连通性通过");
            return null;
        } catch (Exception e) {
            this.logger.error("测试OCSP连通出现异常");
            return ErrorEnum.OCSP_INTERNAL_EXCEPTION.resp(httpServletResponse);
        }
    }

    private boolean verifyTestSign(String str, String str2, List<X509Certificate> list) throws Exception {
        String sigAlgName = list.get(0).getSigAlgName();
        if (Constants.PROVIDER.equalsIgnoreCase(str2)) {
            this.logger.debug("使用BC进行验签");
            return verifySignatureByBC(list, sigAlgName, "OCSP", str);
        }
        this.logger.debug("使用HSM进行验签");
        return verifySignatureBySdf(list, SdfCryptoType.YUNHSM, "OCSP", str);
    }

    public boolean verifySignatureByBC(List<X509Certificate> list, String str, String str2, String str3) throws Exception {
        for (int i = 0; i < list.size(); i++) {
            if (verifySignatureByBC(list.get(i).getPublicKey(), str, str2, str3)) {
                return true;
            }
        }
        return false;
    }

    public boolean verifySignatureBySdf(List<X509Certificate> list, SdfCryptoType sdfCryptoType, String str, String str2) throws Exception {
        for (int i = 0; i < list.size(); i++) {
            if (verifySignatureBySdf(list.get(i).getPublicKey(), list.get(i).getSigAlgName(), sdfCryptoType, str, str2)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifySignatureBySdf(PublicKey publicKey, String str, SdfCryptoType sdfCryptoType, String str2, String str3) throws Exception {
        this.logger.debug("通过" + sdfCryptoType.name() + "进行验签");
        String base64String = Base64.toBase64String(str2.getBytes());
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SM3_WITH_SM2.getSigAlgName())) {
            return GMSSLSM2SignUtils.verifyBySdf(sdfCryptoType, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA1_WITH_RSA.getSigAlgName()) || str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName())) {
            return GMSSLRSASignUtils.verifyByYunHsm(str, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_ECDSA.getSigAlgName())) {
            return GMSSLECSignUtils.verifyByYunHsm(publicKey, base64String, str3, str);
        }
        this.logger.error("暂未未找到" + str + "类型验签方式");
        throw new Exception("can't get verify sign with " + str + " type");
    }

    private boolean verifySignatureByBC(PublicKey publicKey, String str, String str2, String str3) throws Exception {
        this.logger.debug("通过BC进行验签");
        String base64String = Base64.toBase64String(str2.getBytes());
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SM3_WITH_SM2.getSigAlgName())) {
            return GMSSLSM2SignUtils.verifyByBC(publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA1_WITH_RSA.getSigAlgName()) || str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName())) {
            return GMSSLRSASignUtils.verifyByBC(str, publicKey, base64String, str3);
        }
        if (str.equalsIgnoreCase(GMSSLSignatureAlgorithm.SHA256_WITH_ECDSA.getSigAlgName())) {
            return GMSSLBCSignUtils.verifySignature(str, publicKey, GMSSLByteArrayUtils.base64Decode(base64String), GMSSLByteArrayUtils.base64Decode(str3));
        }
        this.logger.error("暂未未找到" + str + "类型验签方式");
        throw new Exception("can't get verify sign with " + str + " type");
    }
}
