package com.xdja.pki.auth.util;

import com.fasterxml.jackson.core.type.TypeReference;
import com.xdja.pki.auth.service.AuditLogService;
import com.xdja.pki.auth.service.AuditSignService;
import com.xdja.pki.auth.service.bean.AuditSignBean;
import com.xdja.pki.auth.service.bean.CertInfoDTO;
import com.xdja.pki.auth.service.bean.CertStatusEnum;
import com.xdja.pki.auth.service.bean.DigestAlgEnum;
import com.xdja.pki.auth.service.bean.KeyAlgEnum;
import com.xdja.pki.core.bean.CoreResult;
import com.xdja.pki.core.exception.JSONException;
import com.xdja.pki.core.utils.JsonMapper;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.ContentInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.SignedData;
import org.bouncycastle.asn1.pkcs.SignerInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.util.ContentCachingRequestWrapper;

@Aspect
@Component
/* loaded from: input_file:WEB-INF/lib/pki-auth-2.0.0-SNAPSHOT.jar:com/xdja/pki/auth/util/AuditSignAspect.class */
public class AuditSignAspect {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Resource
    private AuditSignService auditSignService;

    @Resource
    private AuditLogService auditLogService;

    @Pointcut("@annotation(com.xdja.pki.auth.annotation.AuditSign)")
    public void annotationPointcut() {
    }

    @Pointcut("@annotation(com.xdja.pki.auth.annotation.AuditLogSign)")
    public void auditLogPointcut() {
    }

    @Around("annotationPointcut()")
    public Object authAdmin(ProceedingJoinPoint proceedingJoinPoint) {
        try {
            ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
            HttpServletRequestWrapper request = servletRequestAttributes.getRequest();
            HttpServletResponse response = servletRequestAttributes.getResponse();
            ContentCachingRequestWrapper contentCachingRequestWrapper = !(request instanceof ContentCachingRequestWrapper) ? (ContentCachingRequestWrapper) request.getRequest() : (ContentCachingRequestWrapper) request;
            String header = contentCachingRequestWrapper.getHeader("sn");
            String header2 = contentCachingRequestWrapper.getHeader("timestamp");
            String header3 = contentCachingRequestWrapper.getHeader("sign");
            if (StringUtils.isBlank(header) || StringUtils.isBlank(header2) || StringUtils.isBlank(header3)) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：请求参数非法 [sn={},timestamp={},sign={}]", header, header2, header3);
                }
                return this.auditSignService.getIllegalParamError(response);
            }
            if (System.currentTimeMillis() - Long.valueOf(header2).longValue() > this.auditSignService.getOffsetTime() * 60 * 1000) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：客户端时间与服务器时间不一致");
                }
                return this.auditSignService.getVerifyTimeError(response);
            }
            byte[] constructBusinessData = constructBusinessData(contentCachingRequestWrapper, header2);
            CoreResult verifySign = verifySign(header, header3, constructBusinessData, response);
            if (!verifySign.isSuccess()) {
                return verifySign.getInfo();
            }
            AuditSignBean auditSignBean = new AuditSignBean();
            auditSignBean.setSn(header);
            auditSignBean.setKeyAlg(((Integer) verifySign.getInfo()).intValue());
            auditSignBean.setTimestamp(header2);
            auditSignBean.setSign(header3);
            auditSignBean.setIp(contentCachingRequestWrapper.getRemoteAddr());
            auditSignBean.setContent(new String(constructBusinessData));
            Object[] args = proceedingJoinPoint.getArgs();
            int i = 0;
            while (true) {
                if (i < args.length) {
                    Object obj = args[i];
                    if (null != obj && obj.getClass() == AuditSignBean.class) {
                        args[i] = auditSignBean;
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
            return proceedingJoinPoint.proceed(args);
        } catch (Throwable th) {
            this.logger.error("通用审计验签失败", th);
            return this.auditSignService.getServerInternalError(null);
        }
    }

    @Around("auditLogPointcut()")
    public Object authAdminWithAuditLogSaved(ProceedingJoinPoint proceedingJoinPoint) {
        try {
            ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
            HttpServletRequestWrapper request = servletRequestAttributes.getRequest();
            HttpServletResponse response = servletRequestAttributes.getResponse();
            ContentCachingRequestWrapper contentCachingRequestWrapper = !(request instanceof ContentCachingRequestWrapper) ? (ContentCachingRequestWrapper) request.getRequest() : (ContentCachingRequestWrapper) request;
            String header = contentCachingRequestWrapper.getHeader("sn");
            String header2 = contentCachingRequestWrapper.getHeader("timestamp");
            String header3 = contentCachingRequestWrapper.getHeader("sign");
            if (StringUtils.isBlank(header) || StringUtils.isBlank(header2) || StringUtils.isBlank(header3)) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：请求参数非法 [sn={},timestamp={},sign={}]", header, header2, header3);
                }
                return this.auditSignService.getIllegalParamError(response);
            }
            if (System.currentTimeMillis() - Long.valueOf(header2).longValue() > this.auditSignService.getOffsetTime() * 60 * 1000) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：客户端时间与服务器时间不一致");
                }
                return this.auditSignService.getVerifyTimeError(response);
            }
            byte[] constructBusinessData = constructBusinessData(contentCachingRequestWrapper, header2);
            CoreResult verifySign = verifySign(header, header3, constructBusinessData, response);
            if (!verifySign.isSuccess()) {
                return verifySign.getInfo();
            }
            AuditSignBean auditSignBean = new AuditSignBean();
            auditSignBean.setSn(header);
            auditSignBean.setKeyAlg(Integer.valueOf(String.valueOf(verifySign.getInfo())).intValue());
            auditSignBean.setTimestamp(header2);
            auditSignBean.setSign(header3);
            auditSignBean.setIp(contentCachingRequestWrapper.getRemoteAddr());
            auditSignBean.setContent(new String(constructBusinessData));
            Object[] args = proceedingJoinPoint.getArgs();
            int i = 0;
            while (true) {
                if (i < args.length) {
                    Object obj = args[i];
                    if (null != obj && obj.getClass() == AuditSignBean.class) {
                        args[i] = auditSignBean;
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
            Object proceed = proceedingJoinPoint.proceed(args);
            if (null == proceed || !(proceed instanceof CoreResult)) {
                return proceed;
            }
            this.logger.debug(" 通用审计 保存审计日志 开始 ");
            CoreResult coreResult = (CoreResult) proceed;
            CoreResult.AuditLogDetail auditLogDetail = coreResult.getAuditLogDetail();
            this.auditLogService.save(auditLogDetail.getOperatorType(), auditLogDetail.getOperatorContext(), auditLogDetail.getOperatorResult(), auditSignBean.getSign());
            this.logger.debug(" 通用审计 保存审计日志 结束 ");
            return !coreResult.isSuccess() ? coreResult.resp(response, coreResult) : coreResult.getInfo();
        } catch (Throwable th) {
            this.logger.error("通用审计验签失败", th);
            return this.auditSignService.getServerInternalError(null);
        }
    }

    private CoreResult verifySign(String str, String str2, byte[] bArr, HttpServletResponse httpServletResponse) throws Exception {
        int i;
        SignedData signedData = SignedData.getInstance(ContentInfo.getInstance(Base64.decode(str2)).getContent().toASN1Primitive());
        byte[] octets = ASN1OctetString.getInstance(signedData.getContentInfo().getContent().toASN1Primitive()).getOctets();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("通用审计验签签名结构体原文：{}", new String(octets));
            this.logger.debug("通用审计验签PKCS#7签名结构体：{}", str2);
        }
        SignerInfo signerInfo = SignerInfo.getInstance(signedData.getSignerInfos().getObjectAt(0));
        byte[] octets2 = signerInfo.getEncryptedDigest().getOctets();
        if (!Arrays.equals(this.auditSignService.getDigest(octets), this.auditSignService.getDigest(bArr))) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("通用审计验签失败，原因：请求内容与签名内容不一致");
            }
            return CoreResult.failure(this.auditSignService.getContentDisaccordError(httpServletResponse));
        }
        String id = signerInfo.getDigestEncryptionAlgorithm().getAlgorithm().getId();
        String id2 = signerInfo.getDigestAlgorithm().getAlgorithm().getId();
        int systemKeyAlg = this.auditSignService.getSystemKeyAlg();
        if (id.equals(GMObjectIdentifiers.sm2sign.getId()) && systemKeyAlg == KeyAlgEnum.SM2.value) {
            if (!id2.equals(GMObjectIdentifiers.sm3.getId())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：不支持的签名算法，[signAlg={},digestAlg={}]", id, id2);
                }
                return CoreResult.failure(this.auditSignService.getIllegalSignAlgError(httpServletResponse));
            }
            i = DigestAlgEnum.SM3.value;
        } else if (id.equals(PKCSObjectIdentifiers.rsaEncryption.getId()) && systemKeyAlg == KeyAlgEnum.RSA.value) {
            if (!id2.equals(NISTObjectIdentifiers.id_sha256.getId())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：不支持的签名算法，[signAlg={},digestAlg={}]", id, id2);
                }
                return CoreResult.failure(this.auditSignService.getIllegalSignAlgError(httpServletResponse));
            }
            i = DigestAlgEnum.SHA256.value;
        } else {
            if (!id.equals(X9ObjectIdentifiers.prime256v1.getId()) || systemKeyAlg != KeyAlgEnum.NIST.value) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：不支持的签名算法，[signAlg={},digestAlg={},systemKeyAlg={}]", id, id2, KeyAlgEnum.convert(systemKeyAlg).desc);
                }
                return CoreResult.failure(this.auditSignService.getIllegalSignAlgError(httpServletResponse));
            }
            if (!id2.equals(NISTObjectIdentifiers.id_sha256.getId())) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计验签失败，原因：不支持的签名算法，[signAlg={},digestAlg={}]", id, id2);
                }
                return CoreResult.failure(this.auditSignService.getIllegalSignAlgError(httpServletResponse));
            }
            i = DigestAlgEnum.SHA256.value;
        }
        CertInfoDTO certBySn = this.auditSignService.getCertBySn(str, systemKeyAlg);
        if (null == certBySn) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("通用审计验签失败，原因：证书不存在");
            }
            return CoreResult.failure(this.auditSignService.getCertNotExistError(httpServletResponse));
        }
        if (certBySn.getStatus() != CertStatusEnum.NORMAL.value) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("通用审计验签失败，原因：证书状态异常");
            }
            return CoreResult.failure(this.auditSignService.getCertStatusError(certBySn.getStatus(), httpServletResponse));
        }
        if (this.auditSignService.verifySign(systemKeyAlg, i, certBySn.getPublicKey(), bArr, octets2)) {
            return CoreResult.success(Integer.valueOf(systemKeyAlg));
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("通用审计验签失败，原因：验证管理员操作签名失败");
        }
        return CoreResult.failure(this.auditSignService.getVerifySignFailError(httpServletResponse));
    }

    private byte[] constructBusinessData(ContentCachingRequestWrapper contentCachingRequestWrapper, String str) throws JSONException, UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder();
        sb.append(contentCachingRequestWrapper.getRequestURI());
        String queryString = contentCachingRequestWrapper.getQueryString();
        if (StringUtils.isNotBlank(queryString)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("通用审计请求QueryString参数：{}", queryString);
            }
            String[] split = StringUtils.split(queryString, BeanFactory.FACTORY_BEAN_PREFIX);
            if (null != split && split.length > 0) {
                HashMap hashMap = new HashMap();
                for (String str2 : split) {
                    if (StringUtils.isNotBlank(str2)) {
                        String[] split2 = StringUtils.split(str2, "=");
                        if (split2.length < 2) {
                            hashMap.put(split2[0], "");
                        } else if (!"_".equals(split2[0])) {
                            hashMap.put(split2[0], URLDecoder.decode(split2[1], "UTF-8"));
                        }
                    }
                }
                ArrayList arrayList = new ArrayList(hashMap.keySet());
                Collections.sort(arrayList);
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    sb.append(hashMap.get((String) it.next()).toString());
                }
            }
        }
        if (!StringUtils.isNotBlank(contentCachingRequestWrapper.getContentType()) || contentCachingRequestWrapper.getContentType().indexOf("multipart/form-data") == -1) {
            byte[] contentAsByteArray = contentCachingRequestWrapper.getContentAsByteArray();
            if (contentAsByteArray.length > 0) {
                Map map = (Map) JsonMapper.alwaysMapper().fromJson(contentAsByteArray, (TypeReference) new TypeReference<Map<String, Object>>() { // from class: com.xdja.pki.auth.util.AuditSignAspect.1
                });
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("通用审计请求参数：{}", new String(contentAsByteArray));
                }
                ArrayList arrayList2 = new ArrayList(map.keySet());
                Collections.sort(arrayList2);
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    Object obj = map.get((String) it2.next());
                    if (null != obj) {
                        String json = JsonMapper.alwaysMapper().toJson(obj);
                        if (!StringUtils.isBlank(json) && !"\"\"".equals(json)) {
                            if (json.startsWith("\"")) {
                                json = json.substring(1, json.length() - 1);
                            }
                            sb.append(json);
                        }
                    }
                }
            }
        } else {
            HashMap hashMap2 = new HashMap();
            Enumeration<String> parameterNames = contentCachingRequestWrapper.getParameterNames();
            while (parameterNames.hasMoreElements()) {
                String nextElement = parameterNames.nextElement();
                String parameter = contentCachingRequestWrapper.getParameter(nextElement);
                if (StringUtils.isNotBlank(parameter) && !"null".equalsIgnoreCase(parameter)) {
                    hashMap2.put(nextElement, parameter);
                }
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("通用审计请求form表单参数：{}", hashMap2);
            }
            ArrayList arrayList3 = new ArrayList(hashMap2.keySet());
            Collections.sort(arrayList3);
            Iterator it3 = arrayList3.iterator();
            while (it3.hasNext()) {
                String str3 = (String) hashMap2.get((String) it3.next());
                if (StringUtils.isNotBlank(str3)) {
                    sb.append(str3);
                }
            }
        }
        sb.append(str);
        String encode = URLEncoder.encode(sb.toString().replace(" ", "").replace(StringUtils.CR, "").replace("\\r", "").replace("\n", "").replace("\\n", "").replace("\\\"", "\""), "UTF-8");
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("通用审计验签原文：{}", encode);
        }
        return encode.getBytes();
    }
}
