package com.xdja.pki.ra.openapi.tbox.cmp.handler;

import com.xdja.ca.cache.RedisClient;
import com.xdja.ca.service.CaSdkRedisCacheManagerService;
import com.xdja.ca.service.impl.CaSdkRedisCacheManagerServiceImpl;
import com.xdja.ca.utils.DnUtil;
import com.xdja.ca.vo.UserCertInfo;
import com.xdja.pki.ra.core.common.Result;
import com.xdja.pki.ra.core.commonenum.ErrorEnum;
import com.xdja.pki.ra.core.constant.Constants;
import com.xdja.pki.ra.core.util.cert.PKICertHelper;
import com.xdja.pki.ra.core.util.json.JsonUtils;
import com.xdja.pki.ra.manager.dao.DeviceKeyDao;
import com.xdja.pki.ra.manager.dao.model.DeviceKeyDO;
import com.xdja.pki.ra.manager.dto.IssueApplyDTO;
import com.xdja.pki.ra.openapi.core.BaseCMPInfo;
import com.xdja.pki.ra.openapi.core.common.CmpRespCertType;
import com.xdja.pki.ra.openapi.core.common.PKIMessageException;
import com.xdja.pki.ra.openapi.core.handler.ICmpMessageHandler;
import com.xdja.pki.ra.openapi.core.helper.PKIMessageHelper;
import com.xdja.pki.ra.service.manager.cache.RedisCacheManagerService;
import com.xdja.pki.ra.service.manager.certapply.CertApplyService;
import com.xdja.pki.ra.service.manager.tbox.TboxDeviceService;
import java.security.PublicKey;
import javax.naming.NamingException;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;
import redis.clients.jedis.Jedis;
import redis.clients.util.Pool;

@Component("cmpIssuerCertReqHandler")
/* loaded from: input_file:WEB-INF/lib/ra-openapi-tbox-2.0.0-SNAPSHOT.jar:com/xdja/pki/ra/openapi/tbox/cmp/handler/CmpIssuerCertReqHandler.class */
public class CmpIssuerCertReqHandler implements ICmpMessageHandler {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    CertApplyService certApplyService;

    @Autowired
    TboxDeviceService tboxDeviceService;

    @Autowired
    DeviceKeyDao deviceKeyDao;

    @Autowired
    RedisCacheManagerService redisCacheManagerService;

    @Autowired
    private Pool<Jedis> jedisPool;
    private CaSdkRedisCacheManagerService caSdkRedisCacheManagerService;

    @Value("${transId.cache.expireTime}")
    private void init(int i) {
        this.caSdkRedisCacheManagerService = new CaSdkRedisCacheManagerServiceImpl(new RedisClient(this.jedisPool), i);
    }

    @Override // com.xdja.pki.ra.openapi.core.handler.ICmpMessageHandler
    @Transactional
    public Result handleMessage(PKIMessage pKIMessage, boolean z) throws PKIMessageException {
        CertResponse[] certResponseArr;
        this.logger.info("RA签发申请处理 ========== 【开始】");
        Result result = new Result();
        this.logger.info("RA签发申请处理 ========== 1. 获取PkiMessage消息结构");
        PKIMessage pKIMessage2 = PKIMessage.getInstance(pKIMessage);
        if (pKIMessage2 == null) {
            this.logger.info("RA签发申请处理 ========== No pkiMessage response message.");
            throw new PKIMessageException("RA签发申请处理 ========== No pkiMessage response message.");
        }
        this.logger.info("RA签发申请处理 ========== 2. 获取PkiMessage消息头PKIHeader");
        PKIHeader header = pKIMessage2.getHeader();
        if (header == null) {
            this.logger.info("RA签发申请处理 ========== No header in response message.");
            throw new PKIMessageException("RA签发申请处理 ========== No header in response message.");
        }
        GeneralName generalName = GeneralName.getInstance(header.getSender());
        GeneralName recipient = header.getRecipient();
        try {
            byte[] octets = header.getRecipNonce() == null ? null : header.getRecipNonce().getOctets();
            byte[] octets2 = header.getSenderNonce() == null ? null : header.getSenderNonce().getOctets();
            String str = header.getTransactionID() == null ? null : new String(header.getTransactionID().getOctets());
            String str2 = header.getSenderKID() == null ? null : new String(header.getSenderKID().getOctets());
            AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
            if (octets == null || octets2 == null || protectionAlg == null || StringUtils.isAnyBlank(str, str2)) {
                this.logger.info("RA签发申请处理 ========== 签发接口中必填项有空值");
                throw new PKIMessageException("RA签发申请处理 ========== 签发接口中必填项有空值");
            }
            DERBitString protection = pKIMessage2.getProtection();
            byte[] protectedBytes = PKIMessageHelper.getProtectedBytes(pKIMessage);
            DeviceKeyDO deviceSharedKey = this.deviceKeyDao.getDeviceSharedKey(str2);
            if (deviceSharedKey == null) {
                this.logger.info("RA签发申请处理 ========== 未获取到相应的共享密钥id内容：{}", str2);
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(-1L, ErrorEnum.CANNOT_GET_SHARED_KEY_INFO.code, ErrorEnum.CANNOT_GET_SHARED_KEY_INFO.desc)));
                return result;
            }
            String obj = generalName.getName().toString();
            if (!obj.equals(deviceSharedKey.getDeviceNo())) {
                this.logger.info("RA签发申请处理 ==========共享秘钥对应的设备编号为：[{}] sender中的deviceNo为：[{}]", deviceSharedKey.getDeviceNo(), obj);
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(-1L, ErrorEnum.TBOX_DEVICE_NO_IS_NOT_MATCH.code, ErrorEnum.TBOX_DEVICE_NO_IS_NOT_MATCH.desc)));
                return result;
            }
            byte[] bytes = deviceSharedKey.getSharedKey().getBytes();
            long longValue = pKIMessage2.getBody().getContent().toCertReqMsgArray()[0].getCertReq().getCertReqId().getValue().longValue();
            String caSdkCmpInfo = this.caSdkRedisCacheManagerService.getCaSdkCmpInfo(str);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("CASDK get transId:[{}] baseCMPInfo:[{}]", str, caSdkCmpInfo);
            }
            BaseCMPInfo baseCMPInfo = (BaseCMPInfo) JsonUtils.json2Object(caSdkCmpInfo, BaseCMPInfo.class);
            if (baseCMPInfo == null) {
                this.logger.info("RA签发申请处理 ========== 不存在对应的事务ID tranId:{}", str);
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.CMP_TRAN_ID_IS_NOT_EXIST.code, ErrorEnum.CMP_TRAN_ID_IS_NOT_EXIST.desc)));
                return result;
            }
            baseCMPInfo.setRequestId(longValue);
            baseCMPInfo.setSharedKey(bytes);
            this.logger.info("RA签发申请处理 ========== 3. 验证cmp消息的header和签名的正确性");
            Result checkCmpHeaderAndSign = PKIMessageHelper.checkCmpHeaderAndSign(null, header, protection.getBytes(), protectedBytes, protectionAlg, bytes);
            if (!checkCmpHeaderAndSign.isSuccess()) {
                this.logger.info("RA签发申请处理 ========== 验证cmp消息的header和签名错误 原因：{}", JsonUtils.object2Json(checkCmpHeaderAndSign));
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(-1L, checkCmpHeaderAndSign.getError().code, checkCmpHeaderAndSign.getError().desc)));
                return result;
            }
            PKIBody body = pKIMessage.getBody();
            if (body == null) {
                this.logger.info("RA签发申请处理 ========== 没有对应的PKI消息体");
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.NO_PKI_BODY_FOR_RECEIVED.code, ErrorEnum.NO_PKI_BODY_FOR_RECEIVED.desc)));
                return result;
            }
            if (body.getType() != 0 && body.getType() != 2) {
                this.logger.info("RA签发申请处理 ========== PKI消息体的类型不是0或2");
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.ISSUE_CERT_PKI_BODY_TAG_NOT_0_OR_2.code, ErrorEnum.ISSUE_CERT_PKI_BODY_TAG_NOT_0_OR_2.desc)));
                return result;
            }
            CertReqMsg certReqMsg = CertReqMessages.getInstance(body.getContent()).toCertReqMsgArray()[0];
            CertTemplate certTemplate = certReqMsg.getCertReq().getCertTemplate();
            Result raBaseDn = this.certApplyService.getRaBaseDn();
            if (!raBaseDn.isSuccess()) {
                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, raBaseDn.getErrorBean().getErrCode(), raBaseDn.getErrorBean().getErrMsg())));
                return result;
            }
            String str3 = (String) raBaseDn.getInfo();
            this.logger.info("RA签发申请处理 ========== 在线获取RA的BaseDN为：{}", str3);
            try {
                X500Name rFC4519X500Name = DnUtil.getRFC4519X500Name("CN=" + obj + "," + str3);
                if (certTemplate.getSubject() != null) {
                    rFC4519X500Name = certTemplate.getSubject().toString().toUpperCase().endsWith(str3.toUpperCase()) ? certTemplate.getSubject() : DnUtil.getRFC4519X500Name(certTemplate.getSubject().toString() + "," + str3);
                }
                this.logger.info("自定义拼装在线申请的设备用户DN ===== userCertDn:{}", rFC4519X500Name.toString());
                try {
                    SubjectPublicKeyInfo publicKey = certTemplate.getPublicKey();
                    if (publicKey == null) {
                        this.logger.info("RA签发申请处理 ========== PKI消息体中公钥信息为空");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.GET_PKI_MESSAGE_PUBLIC_KEY_EMPTY.code, ErrorEnum.GET_PKI_MESSAGE_PUBLIC_KEY_EMPTY.desc)));
                        return result;
                    }
                    PublicKey publicKeyFromSubjectPublicKey = PKICertHelper.getPublicKeyFromSubjectPublicKey(publicKey, "BC");
                    if (!PKIMessageHelper.checkReqPop(certReqMsg, publicKeyFromSubjectPublicKey)) {
                        this.logger.info("RA签发申请处理 ========== 验证请求证书的私钥拥有证明未通过");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.REQ_CERT_MESSAGE_POP_CHECK_FAIL.code, ErrorEnum.REQ_CERT_MESSAGE_POP_CHECK_FAIL.desc)));
                        return result;
                    }
                    Result insertIssueCertApply = this.tboxDeviceService.insertIssueCertApply(obj, rFC4519X500Name.toString());
                    if (!insertIssueCertApply.isSuccess()) {
                        this.logger.info("RA签发申请处理 ========== 发起签发申请失败:{}", JsonUtils.object2Json(insertIssueCertApply));
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, insertIssueCertApply.getError().code, insertIssueCertApply.getError().desc)));
                        return result;
                    }
                    IssueApplyDTO issueApplyDTO = (IssueApplyDTO) insertIssueCertApply.getInfo();
                    String applyNo = issueApplyDTO.getApplyNo();
                    this.logger.info("RA签发申请处理 ========== 申请编号为：{}", applyNo);
                    this.redisCacheManagerService.cacheTboxTransId(str, applyNo);
                    this.logger.info("RA签发申请处理 ========== 4. 发起签发用户双证书请求");
                    Result issueCert = this.certApplyService.issueCert(Constants.SYSTEM_FLAG_V2X, issueApplyDTO, publicKeyFromSubjectPublicKey.getEncoded(), null);
                    if (!issueCert.isSuccess()) {
                        this.logger.info("RA签发申请处理 ========== 4.1. 签发用户双证书请求错误:{}", JsonUtils.object2Json(issueCert));
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, issueCert.getErrorBean().errCode, issueCert.getErrorBean().getErrMsg())));
                        return result;
                    }
                    this.logger.info("RA签发申请处理 ========== CA返回的证书签发请求的响应结果 >>>>>>> :{}", JsonUtils.object2Json(issueCert));
                    if (issueCert.getInfo() == null) {
                        this.logger.info("RA签发申请处理 ========== 4.2. 签发用户证书暂无返回证书信息");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.ISSUE_USER_CERT_NO_CERT_INFO.code, ErrorEnum.ISSUE_USER_CERT_NO_CERT_INFO.desc)));
                        return result;
                    }
                    UserCertInfo userCertInfo = (UserCertInfo) issueCert.getInfo();
                    if (null == userCertInfo.getSignCert()) {
                        this.logger.info("RA签发申请处理 ========== 4.3. 用户证书或加密证书为空");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.SIGN_CERT_OR_ENC_CERT_IS_EMPTY.code, ErrorEnum.SIGN_CERT_OR_ENC_CERT_IS_EMPTY.desc)));
                        return result;
                    }
                    Integer certPatterm = issueApplyDTO.getCertPatterm();
                    if (1 != certPatterm.intValue() && null == userCertInfo.getEncCert()) {
                        this.logger.info("RA签发申请处理 ========== 4.3. 用户证书或加密证书为空");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.SIGN_CERT_OR_ENC_CERT_IS_EMPTY.code, ErrorEnum.SIGN_CERT_OR_ENC_CERT_IS_EMPTY.desc)));
                        return result;
                    }
                    CertResponse certResponse = null;
                    try {
                        this.logger.info("RA签发申请处理 ========== 5. 将证书封装签名CertResponse结构体");
                        CertResponse genCertResponse = PKIMessageHelper.genCertResponse(longValue, userCertInfo, CmpRespCertType.GEN_CERT_RESPONSE_SIGN_CERT_1.value, Constants.KEY_FORMAT_0010_1);
                        if (1 != certPatterm.intValue()) {
                            this.logger.info("RA签发申请处理 ========== 6. 将证书封装加密CertResponse结构体");
                            certResponse = PKIMessageHelper.genCertResponse(longValue, userCertInfo, CmpRespCertType.GEN_CERT_RESPONSE_ENC_CERT_AND_ENC_PRI_KEY_2.value, Constants.KEY_FORMAT_0010_1);
                        }
                        if (genCertResponse != null && certResponse == null) {
                            certResponseArr = new CertResponse[]{genCertResponse};
                        } else {
                            if (genCertResponse == null || certResponse == null) {
                                this.logger.info("更新申请处理 ========== 6.1. 封装CertResponse失败");
                                result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.MAKE_CERT_RESPONSE_ERROR.code, ErrorEnum.MAKE_CERT_RESPONSE_ERROR.desc)));
                                return result;
                            }
                            certResponseArr = new CertResponse[]{genCertResponse, certResponse};
                        }
                        this.logger.info("RA签发申请处理 ========== 7. 封装CertRepMessage结构体");
                        CertRepMessage certRepMessage = new CertRepMessage((CMPCertificate[]) null, certResponseArr);
                        this.logger.info("RA签发申请处理 ========== 8. 封装PKIMessage结构体");
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, certRepMessage, null, userCertInfo.getExtraCertsP7b()));
                        this.logger.info("RA签发申请处理 ========== 【结束】");
                        return result;
                    } catch (Exception e) {
                        this.logger.error("RA签发申请处理 ========== 封装CertResponse结构体异常", (Throwable) e);
                        result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.MAKE_CERT_RESPONSE_ERROR.code, ErrorEnum.MAKE_CERT_RESPONSE_ERROR.desc)));
                        return result;
                    }
                } catch (Exception e2) {
                    this.logger.error("RA签发申请处理 ========== PKI消息体中公钥信息获取异常", (Throwable) e2);
                    result.setInfo(PKIMessageHelper.generatePKIMessage(generalName, recipient, 3, octets, octets2, str, PKIMessageHelper.genFailCertResponse(longValue, ErrorEnum.GET_PKI_MESSAGE_PUBLIC_KEY_EXCEPTION.code, ErrorEnum.GET_PKI_MESSAGE_PUBLIC_KEY_EXCEPTION.desc)));
                    return result;
                }
            } catch (NamingException e3) {
                this.logger.error("证书申请的DN错误", e3);
                result.setError(ErrorEnum.CERT_APPLY_DN_IS_ERROR);
                return result;
            }
        } catch (Exception e4) {
            this.logger.error("RA签发申请处理 ========== No header in response message.");
            throw new PKIMessageException("RA签发申请处理 ========== No header in response message.", e4);
        }
    }
}
