package com.xdja.pki.ra.openapi.core.scep;

import com.xdja.ca.asn1.DigestObjectIdentifiers;
import com.xdja.pki.core.exception.UtilException;
import com.xdja.pki.gmssl.core.utils.GMSSLBCCipherUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLByteArrayUtils;
import com.xdja.pki.gmssl.crypto.sdf.SdfSymmetricKeyParameters;
import com.xdja.pki.gmssl.crypto.utils.GMSSLAES128ECBEncryptUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSAEncryptUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2EncryptUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM4ECBEncryptUtils;
import com.xdja.pki.ra.core.asn1.NISTObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.RsaObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SM2ObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SymmetryObjectIdentifiers;
import com.xdja.pki.ra.core.common.CommonVariable;
import com.xdja.pki.ra.core.constant.Constants;
import com.xdja.pki.ra.core.pkcs7.SignedAndEnvelopedData;
import com.xdja.pki.ra.core.util.cert.CertUtils;
import com.xdja.pki.ra.core.util.cert.DnUtil;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.EncryptedContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.KeyTransRecipientInfo;
import org.bouncycastle.asn1.cms.RecipientIdentifier;
import org.bouncycastle.asn1.cms.RecipientInfo;
import org.bouncycastle.asn1.pkcs.ContentInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.SignedData;
import org.bouncycastle.asn1.pkcs.SignerInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.crypto.CryptoException;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.x509.X509CRLImpl;

/* loaded from: input_file:WEB-INF/lib/ra-openapi-core-2.0.0-SNAPSHOT.jar:com/xdja/pki/ra/openapi/core/scep/CertRepUtils.class */
public class CertRepUtils {
    private static Logger logger = LoggerFactory.getLogger((Class<?>) CertRepUtils.class);

    public static EnvelopedData createEnvelopedData(byte[] bArr, X509Certificate x509Certificate) throws Exception {
        SecretKey generateKey;
        AlgorithmIdentifier algorithmIdentifier;
        DEROctetString dEROctetString;
        PublicKey publicKey = x509Certificate.getPublicKey();
        logger.info("客户端公钥加密对称密钥====:{}", publicKey);
        if ("SM3withSm2".equalsIgnoreCase(x509Certificate.getSigAlgName())) {
            SecureRandom secureRandom = new SecureRandom();
            KeyGenerator keyGenerator = KeyGenerator.getInstance("SM4", (Provider) new BouncyCastleProvider());
            keyGenerator.init(secureRandom);
            generateKey = keyGenerator.generateKey();
            logger.info("服务端对称密钥明文:{}", Base64.toBase64String(generateKey.getEncoded()));
            algorithmIdentifier = new AlgorithmIdentifier(SM2ObjectIdentifiers.sm2256_encrypt);
            try {
                String encryptASN1ByBC = GMSSLSM2EncryptUtils.encryptASN1ByBC(publicKey, Base64.toBase64String(generateKey.getEncoded()));
                logger.info("SM2 服务端对称密钥加密之后的密文数据:{}", encryptASN1ByBC);
                dEROctetString = new DEROctetString(GMSSLByteArrayUtils.base64Decode(encryptASN1ByBC));
            } catch (CryptoException e) {
                throw new UtilException("SM2 使用公钥加密会话密钥异常", e);
            }
        } else if ("SHA256WITHECDSA".equalsIgnoreCase(x509Certificate.getSigAlgName())) {
            SecureRandom secureRandom2 = new SecureRandom();
            KeyGenerator keyGenerator2 = KeyGenerator.getInstance("AES", (Provider) new BouncyCastleProvider());
            keyGenerator2.init(128, secureRandom2);
            generateKey = keyGenerator2.generateKey();
            logger.info("服务端对称密钥明文:{}", Base64.toBase64String(generateKey.getEncoded()));
            algorithmIdentifier = new AlgorithmIdentifier(NISTObjectIdentifiers.ecies);
            try {
                byte[] encryptData = GMSSLBCCipherUtils.encryptData("ECIES", publicKey, generateKey.getEncoded());
                logger.info("ECIES 服务端对称密钥加密之后的密文数据:{}", Base64.toBase64String(encryptData));
                dEROctetString = new DEROctetString(encryptData);
            } catch (Exception e2) {
                throw new UtilException("NIST 使用公钥加密会话密钥异常", e2);
            }
        } else {
            if (!"SHA256WITHRSA".equalsIgnoreCase(x509Certificate.getSigAlgName()) && !"SHA1WITHRSA".equalsIgnoreCase(x509Certificate.getSigAlgName()) && !"SHA-1WITHRSA".equalsIgnoreCase(x509Certificate.getSigAlgName())) {
                throw new UtilException("不支持的公钥加密会话密钥");
            }
            SecureRandom secureRandom3 = new SecureRandom();
            KeyGenerator keyGenerator3 = KeyGenerator.getInstance("AES");
            keyGenerator3.init(128, secureRandom3);
            generateKey = keyGenerator3.generateKey();
            logger.info("服务端对称密钥明文：{}", Base64.toBase64String(generateKey.getEncoded()));
            algorithmIdentifier = new AlgorithmIdentifier(RsaObjectIdentifiers.rsaEncryption);
            try {
                String encryptDataByBC = GMSSLRSAEncryptUtils.encryptDataByBC(publicKey, Base64.toBase64String(generateKey.getEncoded()));
                logger.info("RSA 服务端对称密钥加密之后的密文数据：{}", encryptDataByBC);
                dEROctetString = new DEROctetString(GMSSLByteArrayUtils.base64Decode(encryptDataByBC));
            } catch (Exception e3) {
                throw new UtilException("RSA 使用公钥加密会话密钥异常", e3);
            }
        }
        return new EnvelopedData(new DERSet(new RecipientInfo(new KeyTransRecipientInfo(new RecipientIdentifier(IssuerAndSerialNumber.getInstance(new org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber(new X500Name(x509Certificate.getIssuerDN().getName()), x509Certificate.getSerialNumber()))), algorithmIdentifier, dEROctetString))), createEncryptedContentInfo(x509Certificate.getSigAlgName(), generateKey, bArr));
    }

    public static EncryptedContentInfo createEncryptedContentInfo(String str, SecretKey secretKey, byte[] bArr) throws Exception {
        AlgorithmIdentifier algorithmIdentifier;
        DEROctetString dEROctetString;
        logger.info("待加密的数据明文====：{}", Base64.toBase64String(bArr));
        logger.info("服务端对称密钥=====：{}", Base64.toBase64String(secretKey.getEncoded()));
        if (Constants.SIGN_ALG_NAME_SM3_WHIT_SM2.equalsIgnoreCase(str)) {
            algorithmIdentifier = new AlgorithmIdentifier(SymmetryObjectIdentifiers.sm4);
            dEROctetString = new DEROctetString(GMSSLSM4ECBEncryptUtils.encryptByBCWithPKCS5Padding(secretKey.getEncoded(), bArr));
        } else {
            algorithmIdentifier = new AlgorithmIdentifier(SymmetryObjectIdentifiers.aes128ECB);
            dEROctetString = new DEROctetString(GMSSLAES128ECBEncryptUtils.encrypt(secretKey.getEncoded(), bArr, SdfSymmetricKeyParameters.PaddingType.PKCS5Padding));
        }
        logger.info("服务端使用对称密钥解密明文数据===：{}", Base64.toBase64String(dEROctetString.getOctets()));
        return new EncryptedContentInfo(PKCSObjectIdentifiers.data, algorithmIdentifier, dEROctetString);
    }

    public static SignedData createSourceRepSignedData(X509Certificate x509Certificate, X509Certificate x509Certificate2, SignedAndEnvelopedData signedAndEnvelopedData, X509CRLImpl x509CRLImpl, X509CRL x509crl) throws Exception {
        return createSourceRepSignedData(x509Certificate, x509Certificate2, signedAndEnvelopedData, x509CRLImpl, x509crl, null);
    }

    public static SignedData createSourceRepSignedData(X509Certificate x509Certificate, X509Certificate x509Certificate2, SignedAndEnvelopedData signedAndEnvelopedData, X509CRLImpl x509CRLImpl, X509CRL x509crl, List<X509Certificate> list) throws Exception {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        if (null != x509Certificate) {
            aSN1EncodableVector.add(new ASN1InputStream(x509Certificate.getEncoded()).readObject());
        }
        if (null != x509Certificate2) {
            aSN1EncodableVector.add(new ASN1InputStream(x509Certificate2.getEncoded()).readObject());
        }
        if (null == list || list.size() <= 0) {
            throw new UtilException("获取CA证书链异常");
        }
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            aSN1EncodableVector.add(new ASN1InputStream(it.next().getEncoded()).readObject());
        }
        DERSet dERSet = new DERSet(aSN1EncodableVector);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        if (null != x509CRLImpl) {
            aSN1EncodableVector2.add(new ASN1InputStream(x509CRLImpl.getEncoded()).readObject());
        }
        if (null != x509crl) {
            aSN1EncodableVector2.add(new ASN1InputStream(x509crl.getEncoded()).readObject());
        }
        DERSet dERSet2 = new DERSet(aSN1EncodableVector2);
        ContentInfo contentInfo = new ContentInfo(PKCSObjectIdentifiers.data, (ASN1Encodable) null);
        if (null != signedAndEnvelopedData) {
            contentInfo = new ContentInfo(PKCSObjectIdentifiers.signedAndEnvelopedData, signedAndEnvelopedData);
        }
        return new SignedData(new ASN1Integer(0L), new DERSet(new AlgorithmIdentifier(PKCSObjectIdentifiers.md5)), contentInfo, dERSet, dERSet2, new DERSet());
    }

    public static SignerInfo createSignerInfosByHsm(String str, BigInteger bigInteger, String str2, int i, String str3, ASN1Set aSN1Set) throws Exception {
        org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber issuerAndSerialNumber = new org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber(DnUtil.getRFC4519X500Name(str), bigInteger);
        AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sm3);
        AlgorithmIdentifier algorithmIdentifier2 = new AlgorithmIdentifier(SM2ObjectIdentifiers.sm2256_sign);
        DEROctetString dEROctetString = null;
        if (aSN1Set != null) {
            dEROctetString = new DEROctetString(GMSSLSM2SignUtils.signByYunhsm(i, str3, Base64.toBase64String(aSN1Set.getEncoded())).getBytes());
        }
        return new SignerInfo(new ASN1Integer(1L), new org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber(X509Name.getInstance(issuerAndSerialNumber.getName()), issuerAndSerialNumber.getCertificateSerialNumber()), algorithmIdentifier, aSN1Set, algorithmIdentifier2, ASN1OctetString.getInstance(dEROctetString), (ASN1Set) null);
    }

    public static SignerInfo createSignerInfos(String str, BigInteger bigInteger, String str2, PrivateKey privateKey, ASN1Set aSN1Set) throws Exception {
        org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber issuerAndSerialNumber = new org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber(DnUtil.getRFC4519X500Name(str), bigInteger);
        AlgorithmIdentifier algorithmIdentifier = null;
        AlgorithmIdentifier algorithmIdentifier2 = null;
        DEROctetString dEROctetString = null;
        if (aSN1Set != null) {
            if (Constants.SIGN_ALG_NAME_SHA1_WHIT_RSA.equalsIgnoreCase(str2) || Constants.SIGN_ALG_NAME_SHA1_WHIT_RSA_2.equalsIgnoreCase(str2)) {
                algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sha1);
                algorithmIdentifier2 = new AlgorithmIdentifier(RsaObjectIdentifiers.rsaEncryption);
            } else if (Constants.SIGN_ALG_NAME_SHA256_WHIT_RSA.equalsIgnoreCase(str2)) {
                algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sha256);
                algorithmIdentifier2 = new AlgorithmIdentifier(RsaObjectIdentifiers.rsaEncryption);
            } else if (Constants.SIGN_ALG_NAME_SM3_WHIT_SM2.equalsIgnoreCase(str2)) {
                algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sm3);
                algorithmIdentifier2 = new AlgorithmIdentifier(SM2ObjectIdentifiers.sm2256_sign);
            } else {
                if (!Constants.SIGN_ALG_NAME_SHA256_WHIT_ECDSA.equalsIgnoreCase(str2)) {
                    logger.info("不支持的签名算法");
                    throw new Exception("不支持的签名算法");
                }
                algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sha256);
                algorithmIdentifier2 = new AlgorithmIdentifier(NISTObjectIdentifiers.nist256);
            }
            Signature signature = Signature.getInstance(str2, "BC");
            signature.initSign(privateKey);
            signature.update(aSN1Set.getEncoded());
            dEROctetString = new DEROctetString(signature.sign());
        }
        return new SignerInfo(new ASN1Integer(1L), new org.bouncycastle.asn1.pkcs.IssuerAndSerialNumber(X509Name.getInstance(issuerAndSerialNumber.getName()), issuerAndSerialNumber.getCertificateSerialNumber()), algorithmIdentifier, aSN1Set, algorithmIdentifier2, ASN1OctetString.getInstance(dEROctetString), (ASN1Set) null);
    }

    public static SignedData createRepSignedData(byte[] bArr, X509Certificate x509Certificate, byte[] bArr2, String str, String str2, byte[] bArr3, X509Certificate x509Certificate2, Integer num) throws Exception {
        SignerInfo createSignerInfos;
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1InputStream(x509Certificate.getEncoded()).readObject());
        DERSet dERSet = new DERSet(aSN1EncodableVector);
        X500Name rFC4519X500Name = DnUtil.getRFC4519X500Name(x509Certificate.getIssuerDN().getName());
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        ContentInfo contentInfo = null;
        if (bArr != null && "0".equalsIgnoreCase(str2)) {
            contentInfo = createContentInfo(PKCSObjectIdentifiers.envelopedData, createEnvelopedData(bArr, x509Certificate2));
        } else if ("2".equalsIgnoreCase(str2)) {
            contentInfo = createContentInfo(PKCSObjectIdentifiers.data, null);
            aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_failInfo, new DERSet(new DERPrintableString(String.valueOf(num)))));
        } else if ("3".equalsIgnoreCase(str2)) {
            contentInfo = createContentInfo(PKCSObjectIdentifiers.data, null);
        }
        if (null != bArr2) {
            aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_transId, new DERSet(new DEROctetString(bArr2))));
        }
        if (null != str) {
            aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_messageType, new DERSet(new DERPrintableString(str))));
        }
        if (null != str2) {
            aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_pkiStatus, new DERSet(new DERPrintableString(str2))));
        }
        byte[] bArr4 = new byte[16];
        try {
            new SecureRandom().nextBytes(bArr4);
        } catch (Exception e) {
            logger.error(" ============== 获取随机数异常", (Throwable) e);
        }
        aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_senderNonce, new DERSet(new DEROctetString(bArr4))));
        if (null != bArr3) {
            aSN1EncodableVector2.add(new Attribute(SCEPObjectIdentifiers.id_recipientNonce, new DERSet(new DEROctetString(bArr3))));
        }
        if (1 == CommonVariable.getIsHsm().intValue() && "SM2".equalsIgnoreCase(CommonVariable.getKeyAlgName())) {
            createSignerInfos = createSignerInfosByHsm(rFC4519X500Name.toString(), x509Certificate.getSerialNumber(), x509Certificate.getSigAlgName(), CommonVariable.getKeyIndex(), CommonVariable.getKeyPwd(), new DERSet(aSN1EncodableVector2));
            logger.info("signerInfo>>>>2222>>>>>:{}", Base64.toBase64String(createSignerInfos.getEncoded()));
        } else {
            createSignerInfos = createSignerInfos(rFC4519X500Name.toString(), x509Certificate.getSerialNumber(), x509Certificate.getSigAlgName(), CertUtils.getPrivateBybytes(x509Certificate.getSigAlgName(), CommonVariable.getRaSignPriKey()), new DERSet(aSN1EncodableVector2));
        }
        logger.info("signerInfo>>>>>>>>>:{}", Base64.toBase64String(createSignerInfos.getEncoded()));
        return new SignedData(new ASN1Integer(0L), new DERSet(new AlgorithmIdentifier(PKCSObjectIdentifiers.md5)), contentInfo, dERSet, (ASN1Set) null, new DERSet(createSignerInfos));
    }

    public static ContentInfo createContentInfo(ASN1ObjectIdentifier aSN1ObjectIdentifier, ASN1Encodable aSN1Encodable) {
        return new ContentInfo(aSN1ObjectIdentifier, aSN1Encodable);
    }

    public static int getFailInfoByErrorCode(int i) {
        switch (i) {
            case 21303:
            case 31001:
                return 2;
            case 21304:
                return 4;
            case 31002:
            case 31012:
            case 31013:
            case 31014:
            case 31015:
            case 31016:
            case 31017:
            case 31018:
                return 1;
            case 31004:
                return 0;
            default:
                return 5;
        }
    }
}
