package com.xdja.pki.ra.openapi.scep.proxy;

import com.xdja.ca.asn1.DigestObjectIdentifiers;
import com.xdja.pki.core.json.JsonUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLBCCipherUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLECSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2EncryptUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM4ECBEncryptUtils;
import com.xdja.pki.ra.core.asn1.NISTObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.RsaObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SM2ObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SymmetryObjectIdentifiers;
import com.xdja.pki.ra.core.common.CommonVariable;
import com.xdja.pki.ra.core.common.Result;
import com.xdja.pki.ra.core.commonenum.ErrorEnum;
import com.xdja.pki.ra.core.util.cert.CertUtils;
import com.xdja.pki.ra.core.util.cert.DnUtil;
import com.xdja.pki.ra.core.util.cert.HsmUtils;
import com.xdja.pki.ra.core.util.spring.SpringUtils;
import com.xdja.pki.ra.openapi.core.RaProxyBeanApi;
import com.xdja.pki.ra.openapi.core.common.ScepConstant;
import com.xdja.pki.ra.openapi.core.handler.IScepMessageHandler;
import com.xdja.pki.ra.openapi.core.scep.CertRepUtils;
import com.xdja.pki.ra.openapi.core.scep.SCEPObjectIdentifiers;
import java.security.cert.X509Certificate;
import javax.naming.NamingException;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERPrintableString;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.EncryptedContentInfo;
import org.bouncycastle.asn1.cms.EnvelopedData;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.KeyTransRecipientInfo;
import org.bouncycastle.asn1.pkcs.ContentInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.SignedData;
import org.bouncycastle.asn1.pkcs.SignerInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component("scepProxyBeanImpl")
/* loaded from: input_file:WEB-INF/lib/ra-openapi-scep-2.0.0-SNAPSHOT.jar:com/xdja/pki/ra/openapi/scep/proxy/SecpProxyBeanImpl.class */
public class SecpProxyBeanImpl implements RaProxyBeanApi {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Override // com.xdja.pki.ra.openapi.core.RaProxyBeanApi
    public Result dispatch(byte[] bArr, Integer num) throws Exception {
        boolean verifyByBC;
        Result result = new Result();
        this.logger.info("接收到SCEP接口请求的数据原文 经Base64编码 ====:{}", Base64.toBase64String(bArr));
        try {
            try {
                SignedData signedData = SignedData.getInstance(ContentInfo.getInstance(bArr).getContent());
                ASN1Set certificates = signedData.getCertificates();
                if (certificates == null || certificates.size() == 0) {
                    this.logger.error("客户端未包含自签名证书");
                    result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_SELF_CERT);
                    return result;
                }
                X509Certificate certFromStr = CertUtils.getCertFromStr(Base64.toBase64String(certificates.getObjectAt(0).getEncoded()));
                ASN1Set signerInfos = signedData.getSignerInfos();
                if (signerInfos == null || signerInfos.size() == 0) {
                    this.logger.error("客户端未包含签名者信息");
                    result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_SIGNER_INFO);
                    return result;
                }
                ContentInfo contentInfo = signedData.getContentInfo();
                SignerInfo signerInfo = SignerInfo.getInstance(signerInfos.getObjectAt(0));
                ASN1OctetString encryptedDigest = signerInfo.getEncryptedDigest();
                ASN1Set authenticatedAttributes = signerInfo.getAuthenticatedAttributes();
                if (authenticatedAttributes == null || authenticatedAttributes.size() == 0) {
                    this.logger.error("客户端未包含待签名扩展属性信息");
                    result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_ATTR_BY_SIGN);
                    return result;
                }
                AlgorithmIdentifier digestAlgorithm = signerInfo.getDigestAlgorithm();
                if (digestAlgorithm == null) {
                    this.logger.error("客户端未包含摘要算法信息");
                    result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_DIGEST_ALG);
                    return result;
                }
                AlgorithmIdentifier digestEncryptionAlgorithm = signerInfo.getDigestEncryptionAlgorithm();
                if (digestEncryptionAlgorithm == null) {
                    this.logger.error("客户端未包含加密算法性信息");
                    result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_ENC_ALG);
                    return result;
                }
                String sigAlgName = certFromStr.getSigAlgName();
                this.logger.info("验签公钥:{}", certFromStr.getPublicKey());
                this.logger.info("待验证签名原文:{}", Base64.toBase64String(contentInfo.getEncoded()));
                this.logger.info("待验证签名原文:{}", Base64.toBase64String(contentInfo.getEncoded("DER")));
                this.logger.info("请求中的签名后的数据:{}", Base64.toBase64String(encryptedDigest.getOctets()));
                if ("sha1withrsa".equalsIgnoreCase(sigAlgName) || "sha256withrsa".equalsIgnoreCase(sigAlgName) || "sha-1withrsa".equalsIgnoreCase(sigAlgName)) {
                    if (digestAlgorithm.getAlgorithm().getId().equalsIgnoreCase(DigestObjectIdentifiers.sha1.getId()) && digestEncryptionAlgorithm.getAlgorithm().getId().equalsIgnoreCase(RsaObjectIdentifiers.rsaEncryption.getId())) {
                        try {
                            verifyByBC = GMSSLRSASignUtils.verifyByBC("sha1withrsa", certFromStr.getPublicKey(), contentInfo.getEncoded("DER"), encryptedDigest.getOctets());
                        } catch (Exception e) {
                            this.logger.error("RSA算法验签异常", (Throwable) e);
                            result.setError(ErrorEnum.VERIFY_SIGN_DATA_FAILURE);
                            return result;
                        }
                    } else {
                        if (!digestAlgorithm.getAlgorithm().getId().equalsIgnoreCase(DigestObjectIdentifiers.sha256.getId()) || !digestEncryptionAlgorithm.getAlgorithm().getId().equalsIgnoreCase(RsaObjectIdentifiers.rsaEncryption.getId())) {
                            this.logger.info("SHA256WITHERSA或SHA1WITHRSA中的摘要算法或加密算法不支持");
                            result.setError(ErrorEnum.CURRENT_ALG_NOT_SUPPORT);
                            return result;
                        }
                        try {
                            verifyByBC = GMSSLRSASignUtils.verifyByBC("sha256withrsa", certFromStr.getPublicKey(), contentInfo.getEncoded("DER"), encryptedDigest.getOctets());
                        } catch (Exception e2) {
                            this.logger.error("RSA算法验签异常", (Throwable) e2);
                            result.setError(ErrorEnum.VERIFY_SIGN_DATA_FAILURE);
                            return result;
                        }
                    }
                } else if ("sm3withsm2".equalsIgnoreCase(sigAlgName)) {
                    if (!digestAlgorithm.getAlgorithm().getId().equalsIgnoreCase(DigestObjectIdentifiers.sm3.getId()) || !digestEncryptionAlgorithm.getAlgorithm().getId().equalsIgnoreCase(SM2ObjectIdentifiers.sm2256_sign.getId())) {
                        this.logger.info("SM3WITHSM2中的摘要算法或加密算法不支持");
                        result.setError(ErrorEnum.CURRENT_ALG_NOT_SUPPORT);
                        return result;
                    }
                    try {
                        verifyByBC = GMSSLECSignUtils.verifyByBC(certFromStr.getPublicKey(), contentInfo.getEncoded("DER"), encryptedDigest.getOctets(), "SM3WITHSM2");
                    } catch (Exception e3) {
                        this.logger.error("国密算法验签异常", (Throwable) e3);
                        result.setError(ErrorEnum.VERIFY_SIGN_DATA_FAILURE);
                        return result;
                    }
                } else {
                    if (!"SHA256WITHECDSA".equalsIgnoreCase(sigAlgName)) {
                        this.logger.info("不支持的签名算法");
                        result.setError(ErrorEnum.CURRENT_ALG_NOT_SUPPORT);
                        return result;
                    }
                    if (!digestAlgorithm.getAlgorithm().getId().equalsIgnoreCase(DigestObjectIdentifiers.sha256.getId()) || !digestEncryptionAlgorithm.getAlgorithm().getId().equalsIgnoreCase(NISTObjectIdentifiers.ecies.getId())) {
                        this.logger.info("SHA256WITHECDSA中的摘要算法或加密算法不支持");
                        result.setError(ErrorEnum.CURRENT_ALG_NOT_SUPPORT);
                        return result;
                    }
                    try {
                        verifyByBC = GMSSLSignUtils.verifySignature("SHA256WITHECDSA", certFromStr.getPublicKey(), contentInfo.getEncoded("DER"), encryptedDigest.getOctets());
                    } catch (Exception e4) {
                        this.logger.error("NIST算法验签异常", (Throwable) e4);
                        result.setError(ErrorEnum.VERIFY_SIGN_DATA_FAILURE);
                        return result;
                    }
                }
                if (!verifyByBC) {
                    this.logger.info("对客户端请求结构体验签失败");
                    result.setError(ErrorEnum.VERIFY_SIGN_DATA_FAILURE);
                    return result;
                }
                byte[] bArr2 = null;
                byte[] bArr3 = null;
                IScepMessageHandler iScepMessageHandler = null;
                for (int i = 0; i < authenticatedAttributes.size(); i++) {
                    Attribute attribute = Attribute.getInstance(authenticatedAttributes.getObjectAt(i));
                    ASN1ObjectIdentifier attrType = attribute.getAttrType();
                    if (attrType.getId().equals(SCEPObjectIdentifiers.id_messageType.getId())) {
                        DERPrintableString objectAt = attribute.getAttrValues().getObjectAt(0);
                        if (objectAt.getString().equals(ScepConstant.MESSAGE_TYPE_PKCS_REQ_19)) {
                            iScepMessageHandler = (IScepMessageHandler) SpringUtils.getBean("certReqScepMessageHandler");
                        } else if (objectAt.getString().equals(ScepConstant.MESSAGE_TYPE_GET_CERT_INIT_20)) {
                            iScepMessageHandler = (IScepMessageHandler) SpringUtils.getBean("getCertInitScepMessageHandler");
                        } else if (objectAt.getString().equals(ScepConstant.MESSAGE_TYPE_GET_CERT_21)) {
                            iScepMessageHandler = (IScepMessageHandler) SpringUtils.getBean("getCertScepMessageHandler");
                        } else {
                            if (!objectAt.getString().equals(ScepConstant.MESSAGE_TYPE_GET_CRL_22)) {
                                this.logger.info("SCEP消息类型不支持");
                                result.setError(ErrorEnum.SCEP_MESSAGE_TYPE_NOT_SUPPORT);
                                return result;
                            }
                            iScepMessageHandler = (IScepMessageHandler) SpringUtils.getBean("getCrlScepMessageHandler");
                        }
                    } else if (attrType.getId().equals(SCEPObjectIdentifiers.id_transId.getId())) {
                        bArr2 = attribute.getAttrValues().getObjectAt(0).getEncoded();
                    } else if (attrType.getId().equals(SCEPObjectIdentifiers.id_senderNonce.getId())) {
                        bArr3 = attribute.getAttrValues().getObjectAt(0).getEncoded();
                    }
                }
                Result reqSourceData = getReqSourceData(contentInfo);
                if (!reqSourceData.isSuccess()) {
                    return reqSourceData;
                }
                if (iScepMessageHandler == null || bArr2 == null || bArr3 == null) {
                    this.logger.info("缺少必要请求参数");
                    result.setError(ErrorEnum.MISSING_REQUIRED_PARAMETERS);
                    return result;
                }
                if (null != reqSourceData.getInfo()) {
                    return iScepMessageHandler.handleMessage((byte[]) reqSourceData.getInfo(), bArr2, bArr3, certFromStr);
                }
                this.logger.info("缺少必要请求参数");
                result.setError(ErrorEnum.MISSING_REQUIRED_PARAMETERS);
                return result;
            } catch (Exception e5) {
                this.logger.error("接收到的消息无法转换为SignedData", (Throwable) e5);
                result.setError(ErrorEnum.SCEP_PKCS7_STRUCTURE_CONVERT_FAILURE);
                return result;
            }
        } catch (Exception e6) {
            this.logger.error("接收到的消息无法转换为ContentInfo", (Throwable) e6);
            result.setError(ErrorEnum.SCEP_PKCS7_STRUCTURE_CONVERT_FAILURE);
            return result;
        }
    }

    private Result getReqSourceData(ContentInfo contentInfo) {
        byte[] decryptByBCWithPKCS5Padding;
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("contentInfo:[{}]", JsonUtils.object2Json(contentInfo));
        }
        Result result = new Result();
        try {
            if (!PKCSObjectIdentifiers.envelopedData.getId().equalsIgnoreCase(contentInfo.getContentType().getId())) {
                this.logger.error("PKCS7的消息类型不是envelopedData");
                result.setError(ErrorEnum.PKCS7_CONTAIN_TYPE_NOT_ENVELOPED_DATA);
                return result;
            }
            EnvelopedData envelopedData = EnvelopedData.getInstance(contentInfo.getContent());
            ASN1Set recipientInfos = envelopedData.getRecipientInfos();
            if (recipientInfos == null || recipientInfos.size() == 0) {
                this.logger.error("请求数据中未包含接收者信息");
                result.setError(ErrorEnum.REQ_DATA_NOT_CONTAIN_RECIPIENT_INFO);
                return result;
            }
            KeyTransRecipientInfo keyTransRecipientInfo = KeyTransRecipientInfo.getInstance(recipientInfos.getObjectAt(0));
            AlgorithmIdentifier keyEncryptionAlgorithm = keyTransRecipientInfo.getKeyEncryptionAlgorithm();
            ASN1OctetString encryptedKey = keyTransRecipientInfo.getEncryptedKey();
            IssuerAndSerialNumber id = keyTransRecipientInfo.getRecipientIdentifier().getId();
            X509Certificate raServiceCert = CommonVariable.getRaServiceCert();
            ASN1Integer serialNumber = id.getSerialNumber();
            X500Name name = id.getName();
            try {
                X500Name rFC4519X500Name = DnUtil.getRFC4519X500Name(raServiceCert.getSubjectDN().getName());
                String bigInteger = serialNumber.getValue().toString(16);
                String bigInteger2 = raServiceCert.getSerialNumber().toString(16);
                if (!bigInteger.equalsIgnoreCase(bigInteger2) || !rFC4519X500Name.toString().equalsIgnoreCase(name.toString())) {
                    this.logger.error("当前请求的签发者不是当前系统===期望的服务端：[{}] [{}] == 当前的服务端：[{}] [{}] ", name.toString(), bigInteger, bigInteger2, rFC4519X500Name.toString());
                    result.setError(ErrorEnum.REQ_ISSUER_AND_SN_IS_NOT_CURRENT);
                    return result;
                }
                try {
                    this.logger.info("服务端待解密的对称密钥密文:{}", Base64.toBase64String(encryptedKey.getOctets()));
                    byte[] decode = Base64.decode((1 == CommonVariable.getIsHsm().intValue() && "SM2".equalsIgnoreCase(CommonVariable.getKeyAlgName())) ? GMSSLSM2EncryptUtils.decryptASN1ByYunhsm(CommonVariable.getKeyIndex(), CommonVariable.getKeyPwd(), Base64.toBase64String(encryptedKey.getOctets())) : HsmUtils.decrypteByBC(keyEncryptionAlgorithm.getAlgorithm().toString(), CommonVariable.getRaSignPriKey(), Base64.toBase64String(encryptedKey.getOctets())));
                    try {
                        this.logger.info("服务端解密获取到的对称密钥=============:{}", Base64.toBase64String(decode));
                        EncryptedContentInfo encryptedContentInfo = envelopedData.getEncryptedContentInfo();
                        this.logger.info("服务端待解密的密文数据======:{}", Base64.toBase64String(encryptedContentInfo.getEncryptedContent().getEncoded()));
                        AlgorithmIdentifier contentEncryptionAlgorithm = encryptedContentInfo.getContentEncryptionAlgorithm();
                        if (contentEncryptionAlgorithm.getAlgorithm().getId().equals(SymmetryObjectIdentifiers.aes128ECB.getId())) {
                            decryptByBCWithPKCS5Padding = GMSSLBCCipherUtils.symmetricECBDecrypt("AES/ECB/PKCS5Padding", decode, encryptedContentInfo.getEncryptedContent().getOctets());
                            this.logger.info("AES 解密后的明文数据=====:{}", Base64.toBase64String(decryptByBCWithPKCS5Padding));
                        } else {
                            if (!contentEncryptionAlgorithm.getAlgorithm().getId().equals(SymmetryObjectIdentifiers.sm4.getId())) {
                                this.logger.info("不支持该非对称加密算法:{}", contentEncryptionAlgorithm.getAlgorithm().toString());
                                result.setError(ErrorEnum.CURRENT_ALG_NOT_SUPPORT);
                                return result;
                            }
                            decryptByBCWithPKCS5Padding = GMSSLSM4ECBEncryptUtils.decryptByBCWithPKCS5Padding(decode, encryptedContentInfo.getEncryptedContent().getOctets());
                            this.logger.info("SM4 解密后的明文数据=====:{}", Base64.toBase64String(decryptByBCWithPKCS5Padding));
                        }
                        result.setInfo(decryptByBCWithPKCS5Padding);
                        return result;
                    } catch (Exception e) {
                        this.logger.error("使用对称密钥解密获取客户端请求数据异常", (Throwable) e);
                        result.setError(ErrorEnum.DECRYPT_GET_SOURCE_DATA_EXCEPTION);
                        return result;
                    }
                } catch (Exception e2) {
                    this.logger.error("使用RA服务器签名证书对应的私钥解密获取被加密的对称密钥异常", (Throwable) e2);
                    result.setError(ErrorEnum.DECRYPT_GET_SESSION_KEY_EXCEPTION);
                    return result;
                }
            } catch (NamingException e3) {
                this.logger.error("获取证书DN异常", e3);
                result.setError(ErrorEnum.GET_CERT_DN_EXCEPTION);
                return result;
            }
        } catch (Exception e4) {
            this.logger.error("获取请求的加密结构体异常", (Throwable) e4);
            result.setError(ErrorEnum.SCEP_PKCS7_STRUCTURE_CONVERT_FAILURE);
            return result;
        }
    }

    private ContentInfo createRespContentInfo(X509Certificate x509Certificate, byte[] bArr, String str, byte[] bArr2, X509Certificate x509Certificate2, int i) throws Exception {
        Integer num = null;
        switch (i) {
            case 0:
                num = 0;
                break;
            case 1:
                num = 1;
                break;
            case 2:
                num = 2;
                break;
            case 3:
                num = 3;
                break;
            case 4:
                num = 4;
                break;
        }
        return CertRepUtils.createContentInfo(PKCSObjectIdentifiers.signedData, CertRepUtils.createRepSignedData(null, x509Certificate, bArr, str, "2", bArr2, x509Certificate2, num));
    }
}
