package com.xdja.pki.ra.service.manager.certapply;

import com.xdja.ca.vo.UserCertInfo;
import com.xdja.pki.core.exception.ServiceException;
import com.xdja.pki.ra.cache.CertTempCache;
import com.xdja.pki.ra.core.asn1.NISTObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SM2ObjectIdentifiers;
import com.xdja.pki.ra.core.common.CommonVariable;
import com.xdja.pki.ra.core.common.Result;
import com.xdja.pki.ra.core.commonenum.DoubleCodeUseEnum;
import com.xdja.pki.ra.core.commonenum.ErrorEnum;
import com.xdja.pki.ra.core.constant.Constants;
import com.xdja.pki.ra.core.util.cert.CertUtils;
import com.xdja.pki.ra.core.util.json.JsonUtils;
import com.xdja.pki.ra.manager.dao.BaseUserDao;
import com.xdja.pki.ra.manager.dao.CaCertDao;
import com.xdja.pki.ra.manager.dao.CertApplyDao;
import com.xdja.pki.ra.manager.dao.DoubleCodeDao;
import com.xdja.pki.ra.manager.dao.IssueApplyDao;
import com.xdja.pki.ra.manager.dao.UpdateApplyDao;
import com.xdja.pki.ra.manager.dao.UserCertDao;
import com.xdja.pki.ra.manager.dao.model.BaseUserDO;
import com.xdja.pki.ra.manager.dao.model.CaCertDO;
import com.xdja.pki.ra.manager.dao.model.CertApplyDO;
import com.xdja.pki.ra.manager.dao.model.CertTempDO;
import com.xdja.pki.ra.manager.dao.model.DoubleCodeDO;
import com.xdja.pki.ra.manager.dao.model.IssueApplyDO;
import com.xdja.pki.ra.manager.dao.model.UpdateApplyDO;
import com.xdja.pki.ra.manager.dao.model.UserCertDO;
import com.xdja.pki.ra.manager.sdk.cmp.CertLifeCycleManager;
import com.xdja.pki.ra.service.manager.cache.RedisCacheManagerService;
import com.xdja.pki.ra.service.manager.certapply.bean.DoubleCode;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.sql.Timestamp;
import java.util.Date;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Service
/* loaded from: input_file:WEB-INF/lib/ra-service-manager-impl-2.0.1-SNAPSHOT.jar:com/xdja/pki/ra/service/manager/certapply/CertApplyServiceIssueImpl.class */
public class CertApplyServiceIssueImpl implements CertApplyServiceIssue {
    private Logger logger = LoggerFactory.getLogger((Class<?>) CertApplyServiceIssueImpl.class);

    @Autowired
    private BaseUserDao baseUserDao;

    @Autowired
    private CertApplyDao certApplyDao;

    @Autowired
    private DoubleCodeDao doubleCodeDao;

    @Autowired
    private IssueApplyDao issueApplyDao;

    @Autowired
    private UpdateApplyDao updateApplyDao;

    @Autowired
    private CaCertDao caCertDao;

    @Autowired
    private UserCertDao userCertDao;

    @Autowired
    private CertLifeCycleManager certLifeCycleManager;

    @Autowired
    private CertApplyService certApplyService;

    @Autowired
    private RedisCacheManagerService redisCacheManagerService;

    @Autowired
    CertTempCache certTempCache;

    @Override // com.xdja.pki.ra.service.manager.certapply.CertApplyServiceIssue
    public Result certApplyCarry(int i, String str, String str2, DoubleCode doubleCode, byte[] bArr, Integer num) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("certApplyCarry applyType:[{}] applyNo:[{}]", Integer.valueOf(i), str2);
        }
        Result result = new Result();
        String rAServiceDnName = getRAServiceDnName();
        if (StringUtils.isBlank(rAServiceDnName)) {
            this.logger.error("获取RA服务器证书DN名字错误");
            return Result.failure(ErrorEnum.GET_RA_SERVICE_DN_NAME_ERROR);
        }
        String cAServiceDnName = getCAServiceDnName();
        if (StringUtils.isBlank(cAServiceDnName)) {
            this.logger.error("获取CA服务器证书DN名字错误");
            return Result.failure(ErrorEnum.GET_CA_SERVICE_DN_NAME_ERROR);
        }
        if (Constants.KEY_ALG_NAME_RSA.equalsIgnoreCase(CommonVariable.getKeyAlgName()) && Constants.KEY_FORMAT_0016_2.equals(num)) {
            this.logger.error("RSA算法不提供0016的私钥格式 keyAlgName:{}", CommonVariable.getKeyAlgName());
            return Result.failure(ErrorEnum.RSA_ALG_CANNOT_BUILD_0016_KEY_FORMAT);
        }
        BaseUserDO baseUserInfo = this.baseUserDao.getBaseUserInfo(Integer.parseInt(doubleCode.getRefCode()));
        if (baseUserInfo == null || !str.equals(baseUserInfo.getSystemFlag())) {
            this.logger.error("此用户不存在");
            return Result.failure(ErrorEnum.THE_USER_IS_NOT_EXIT);
        }
        CertApplyDO certApplyInfo = this.certApplyDao.getCertApplyInfo(str2);
        if (certApplyInfo == null || i != certApplyInfo.getApplyType().intValue()) {
            this.logger.error("不存在当前申请编号对应的申请记录 applyNo:{}", str2);
            return Result.failure(ErrorEnum.CANNOT_FIND_APPLY_BY_NO);
        }
        if (3 != certApplyInfo.getApplyStatus().intValue()) {
            this.logger.error("当前申请状态不可发起签发 applyStatus:{}", certApplyInfo.getApplyStatus());
            return Result.failure(ErrorEnum.APPLY_STATUS_NOT_SUPPORT_ISSUE_CERT);
        }
        DoubleCodeDO doubleCode2 = this.doubleCodeDao.getDoubleCode(str2);
        if (doubleCode2 == null || DoubleCodeUseEnum.IS_USE.id == doubleCode2.getIsUse().intValue() || !String.valueOf(doubleCode2.getRefCode()).equals(doubleCode.getRefCode())) {
            return Result.failure(ErrorEnum.DOUBLE_CODE_HAS_USED);
        }
        String incCaCmpTransId = this.redisCacheManagerService.getIncCaCmpTransId();
        this.redisCacheManagerService.cacheCaTransId(str2, incCaCmpTransId);
        if (1 == i) {
            result = issueApplyHandler(str2, str, null, bArr, rAServiceDnName, cAServiceDnName, incCaCmpTransId, true, num, certApplyInfo);
        } else if (2 == i) {
            result = updateApplyHandler(str2, str, null, bArr, rAServiceDnName, cAServiceDnName, incCaCmpTransId, true, num, certApplyInfo);
        }
        if (result.isSuccess()) {
            this.doubleCodeDao.updateStatus(doubleCode.getRefCode(), doubleCode.getAuthCode());
        } else {
            this.logger.error("签发证书申请处理失败");
        }
        return result;
    }

    private Result issueApplyHandler(String str, String str2, String str3, byte[] bArr, String str4, String str5, String str6, boolean z, Integer num, CertApplyDO certApplyDO) {
        IssueApplyDO issueApplyInfoByApplyId = this.issueApplyDao.getIssueApplyInfoByApplyId(certApplyDO.getId().longValue());
        CertTempDO certTempInfoByTempId = this.certTempCache.getCertTempInfoByTempId(certApplyDO.getTempId().longValue());
        if (issueApplyInfoByApplyId == null || certTempInfoByTempId == null) {
            this.logger.error("获取签发证书申请基本信息为空");
            return Result.failure(ErrorEnum.GET_ISSUE_APPLY_INFO_IS_EMPTY);
        }
        Result checkApplyMsgEqualP10 = checkApplyMsgEqualP10(CertUtils.getPublicKeyBySubjectPublicInfo(Base64.toBase64String(bArr)), certTempInfoByTempId);
        if (!checkApplyMsgEqualP10.isSuccess()) {
            return checkApplyMsgEqualP10;
        }
        int intValue = issueApplyInfoByApplyId.getCertValidity().intValue();
        String signAlg = issueApplyInfoByApplyId.getSignAlg();
        String tempNo = certTempInfoByTempId.getTempNo();
        String str7 = null;
        if (StringUtils.isNotBlank(issueApplyInfoByApplyId.getTempParas())) {
            str7 = issueApplyInfoByApplyId.getTempParas();
        }
        Result issueUserCert = this.certLifeCycleManager.issueUserCert(str, str3, bArr, str4, str5, str6, tempNo, str7, signAlg, intValue, certApplyDO.getCertDn(), num);
        if (issueUserCert.isSuccess()) {
            Result insertUserCertInfo = insertUserCertInfo(certApplyDO.getUserId().longValue(), issueApplyInfoByApplyId.getApplyId().longValue(), certApplyDO.getTempId().longValue(), certTempInfoByTempId.getTempNo(), signAlg, issueApplyInfoByApplyId.getPrivateKeyLength().intValue(), (UserCertInfo) issueUserCert.getInfo());
            if (!insertUserCertInfo.isSuccess()) {
                this.logger.error("将用户证书插入数据库失败");
                return insertUserCertInfo;
            }
        } else {
            certApplyDO.setAdminId(666L);
            certApplyDO.setAdminCertDn("CN=当前登录的管理员，O=**省公安厅，C=CN");
            certApplyDO.setApplyStatus(4);
            certApplyDO.setGmtUpdate(new Timestamp(System.currentTimeMillis()));
            if (this.certApplyDao.updateCertApply(certApplyDO) <= 0) {
                this.logger.error("更新申请基本信息失败");
                return Result.failure(ErrorEnum.UPDATE_CERT_APPLY_INFO_FAIL);
            }
            this.certApplyService.insertCertApplyRecord(1, 5, str, str2, 4, issueUserCert.getErrorBean().getErrMsg(), 7, false, z);
            this.logger.error("调用CA，签发证书失败");
        }
        return issueUserCert;
    }

    private Result updateApplyHandler(String str, String str2, String str3, byte[] bArr, String str4, String str5, String str6, boolean z, Integer num, CertApplyDO certApplyDO) {
        UpdateApplyDO updateApplyInfoByApplyId = this.updateApplyDao.getUpdateApplyInfoByApplyId(certApplyDO.getId().longValue());
        CertTempDO certTempInfoByTempId = this.certTempCache.getCertTempInfoByTempId(certApplyDO.getTempId().longValue());
        if (updateApplyInfoByApplyId == null || certTempInfoByTempId == null) {
            this.logger.error("获取签发证书申请基本信息为空");
            return Result.failure(ErrorEnum.GET_ISSUE_APPLY_INFO_IS_EMPTY);
        }
        int intValue = updateApplyInfoByApplyId.getCertValidity().intValue();
        String signAlg = updateApplyInfoByApplyId.getSignAlg();
        String tempNo = certTempInfoByTempId.getTempNo();
        String str7 = null;
        if (StringUtils.isNotBlank(updateApplyInfoByApplyId.getTempParas())) {
            str7 = updateApplyInfoByApplyId.getTempParas();
        }
        boolean z2 = updateApplyInfoByApplyId.getIsUpdateKey().intValue() == 1;
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("updateApplyDO.getIsUpdateKey() :[{}]", updateApplyInfoByApplyId.getIsUpdateKey());
            this.logger.debug("updateKey :[{}]", Boolean.valueOf(z2));
        }
        if (z2) {
            if (null == bArr) {
                this.logger.info("更新密钥时，必须上传p10文件");
                return Result.failure(ErrorEnum.UPDATE_KEY_NEED_P10_FILE);
            }
            Result checkApplyMsgEqualP10 = checkApplyMsgEqualP10(CertUtils.getPublicKeyBySubjectPublicInfo(Base64.toBase64String(bArr)), certTempInfoByTempId);
            if (!checkApplyMsgEqualP10.isSuccess()) {
                return checkApplyMsgEqualP10;
            }
        }
        Result updateUserCert = this.certLifeCycleManager.updateUserCert(str, str3, bArr, str4, str5, str6, tempNo, str7, signAlg, intValue, certApplyDO.getCertDn(), updateApplyInfoByApplyId.getSignSn(), z2, num);
        if (updateUserCert.isSuccess()) {
            Result insertUserCertInfo = insertUserCertInfo(certApplyDO.getUserId().longValue(), updateApplyInfoByApplyId.getApplyId().longValue(), certApplyDO.getTempId().longValue(), tempNo, signAlg, updateApplyInfoByApplyId.getPrivateKeyLength().intValue(), (UserCertInfo) updateUserCert.getInfo());
            if (!insertUserCertInfo.isSuccess()) {
                this.logger.info("将用户证书插入数据库失败");
                return insertUserCertInfo;
            }
        } else {
            certApplyDO.setAdminId(666L);
            certApplyDO.setAdminCertDn("CN=当前登录的管理员，O=**省公安厅，C=CN");
            certApplyDO.setApplyStatus(4);
            certApplyDO.setGmtUpdate(new Timestamp(System.currentTimeMillis()));
            if (this.certApplyDao.updateCertApply(certApplyDO) <= 0) {
                this.logger.info("更新申请记录失败:{}", JsonUtils.object2Json(certApplyDO));
                throw new ServiceException("更新申请记录失败");
            }
            this.certApplyService.insertCertApplyRecord(2, 5, str, str2, 4, updateApplyInfoByApplyId.getApplyReason(), 7, false, z);
            this.logger.info("调用CA，更新证书失败");
        }
        return updateUserCert;
    }

    private Result checkApplyMsgEqualP10(PublicKey publicKey, CertTempDO certTempDO) {
        String str;
        this.logger.info("开始校验申请中的公钥信息和模板要求是否一致");
        Result result = new Result();
        String publicKeyAlg = certTempDO.getPublicKeyAlg();
        Integer privateKeyLength = certTempDO.getPrivateKeyLength();
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
        ASN1Encodable parameters = subjectPublicKeyInfo.getAlgorithmId().getParameters();
        if (Constants.KEY_ALG_NAME_RSA.equals(publicKey.getAlgorithm())) {
            str = Constants.KEY_ALG_NAME_RSA;
        } else {
            ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(parameters.toString());
            if (aSN1ObjectIdentifier.equals(SM2ObjectIdentifiers.sm2256)) {
                str = "SM2";
            } else {
                if (!aSN1ObjectIdentifier.equals(NISTObjectIdentifiers.nist256)) {
                    this.logger.info("不支持的签名算法");
                    result.setError(ErrorEnum.NOT_SUPPORTED_SIGN_ALG);
                    return result;
                }
                str = Constants.KEY_ALG_NAME_NIST_2;
            }
        }
        this.logger.info("申请书中的用户算法为:{}", str);
        if (!str.equalsIgnoreCase(publicKeyAlg)) {
            this.logger.info("用户证书算法和当前模板公钥算法不一致");
            result.setError(ErrorEnum.USER_CERT_KEY_ALG_NOT_SAME_WITH_TEMP);
            return result;
        }
        try {
            X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(new DERBitString(subjectPublicKeyInfo).getBytes());
            if (str.equalsIgnoreCase("SM2") || str.equalsIgnoreCase(Constants.KEY_ALG_NAME_NIST_2)) {
                this.logger.info("证书密钥算法长度为:{}", Integer.valueOf(KeyFactory.getInstance("EC", "BC").generatePublic(x509EncodedKeySpec).getW().getAffineX().bitLength()));
                if (privateKeyLength.intValue() != 256) {
                    this.logger.error("用户证书秘钥算法长度和模板秘钥长度不一致");
                    result.setError(ErrorEnum.USER_CERT_KEY_ALG_LENGTH_NOT_SAME_WITH_TEMP);
                    return result;
                }
            } else {
                if (privateKeyLength.intValue() != KeyFactory.getInstance(Constants.KEY_ALG_NAME_RSA, "BC").generatePublic(x509EncodedKeySpec).getModulus().bitLength()) {
                    this.logger.info("用户证书秘钥算法长度和模板秘钥长度不一致");
                    result.setError(ErrorEnum.USER_CERT_KEY_ALG_LENGTH_NOT_SAME_WITH_TEMP);
                    return result;
                }
            }
            return Result.success();
        } catch (Exception e) {
            this.logger.info("[CertApplyServiceImpl#checkApplyMsgEqualP10] 申请信息和P10一致性校验 IOException", (Throwable) e);
            result.setError(ErrorEnum.GET_PUBLIC_KEY_FROM_P10_EXCEPTION);
            return result;
        }
    }

    private Result insertUserCertInfo(long j, long j2, long j3, String str, String str2, int i, UserCertInfo userCertInfo) {
        Result result = new Result();
        String signCert = userCertInfo.getSignCert();
        if (StringUtils.isBlank(signCert)) {
            this.logger.info("CA返回的用户证书信息中，签名证书为空");
            result.setError(ErrorEnum.CA_RESPONSE_USER_SIGN_CERT_INFO_IS_EMPTY);
            return result;
        }
        X509Certificate certFromStr = CertUtils.getCertFromStr(signCert);
        if (certFromStr == null) {
            this.logger.info("CA返回的用户证书信息中，签名证书错误");
            result.setError(ErrorEnum.CA_RESPONSE_USER_SIGN_CERT_ERROR);
            return result;
        }
        long incPairCertIndex = this.redisCacheManagerService.getIncPairCertIndex();
        UserCertDO userCertDO = new UserCertDO();
        userCertDO.setPairCertIndex(Long.valueOf(incPairCertIndex));
        if (StringUtils.isBlank(userCertInfo.getEncCert())) {
            userCertDO.setCertType(1);
        } else {
            userCertDO.setCertType(2);
        }
        userCertDO.setCertStatus(0);
        userCertDO.setUserId(Long.valueOf(j));
        userCertDO.setApplyId(Long.valueOf(j2));
        userCertDO.setTempId(Long.valueOf(j3));
        userCertDO.setTempNo(str);
        userCertDO.setSignAlg(str2);
        userCertDO.setPrivateKeyLength(Integer.valueOf(i));
        CaCertDO newCaCertInfo = this.caCertDao.getNewCaCertInfo();
        if (newCaCertInfo == null) {
            this.logger.info("获取CA证书信息为空");
            result.setError(ErrorEnum.GET_CA_CERT_INFO_IS_EMPTY);
            return result;
        }
        userCertDO.setCaCertId(newCaCertInfo.getId());
        userCertDO.setCertSn(certFromStr.getSerialNumber().toString(16).toLowerCase());
        userCertDO.setCertDn(CertUtils.getSubjectByX509Cert(certFromStr));
        Date notBefore = certFromStr.getNotBefore();
        Date notAfter = certFromStr.getNotAfter();
        userCertDO.setEffectiveTime(new Timestamp(notBefore.getTime()));
        userCertDO.setFailureTime(new Timestamp(notAfter.getTime()));
        int time = (int) ((notAfter.getTime() - notBefore.getTime()) / 86400000);
        userCertDO.setCertValidity(Integer.valueOf(time));
        int time2 = (int) ((newCaCertInfo.getFailureTime().getTime() - notBefore.getTime()) / 86400000);
        userCertDO.setEncKeyValidity(Integer.valueOf(time2));
        Date date = new Date();
        userCertDO.setGmtCreate(new Timestamp(date.getTime()));
        userCertDO.setGmtUpdate(new Timestamp(date.getTime()));
        UserCertDO insertUserCertInfo = this.userCertDao.insertUserCertInfo(userCertDO);
        String encCert = userCertInfo.getEncCert();
        if (StringUtils.isNotBlank(encCert)) {
            UserCertDO userCertDO2 = new UserCertDO();
            userCertDO2.setPairCertIndex(Long.valueOf(incPairCertIndex));
            userCertDO2.setCertType(3);
            userCertDO2.setCertStatus(0);
            userCertDO2.setUserId(Long.valueOf(j));
            userCertDO2.setApplyId(Long.valueOf(j2));
            userCertDO2.setTempId(Long.valueOf(j3));
            userCertDO2.setTempNo(str);
            userCertDO2.setSignAlg(str2);
            userCertDO2.setPrivateKeyLength(Integer.valueOf(i));
            userCertDO2.setCaCertId(newCaCertInfo.getId());
            userCertDO2.setEffectiveTime(new Timestamp(notBefore.getTime()));
            userCertDO2.setFailureTime(new Timestamp(notAfter.getTime()));
            userCertDO2.setCertValidity(Integer.valueOf(time));
            userCertDO2.setEncKeyValidity(Integer.valueOf(time2));
            X509Certificate certFromStr2 = CertUtils.getCertFromStr(encCert);
            if (certFromStr2 == null) {
                this.logger.info("CA返回的用户证书信息中，加密证书错误");
                result.setError(ErrorEnum.CA_RESPONSE_USER_ENC_CERT_ERROR);
                return result;
            }
            userCertDO2.setGmtCreate(new Timestamp(date.getTime()));
            userCertDO2.setGmtUpdate(new Timestamp(date.getTime()));
            userCertDO2.setCertSn(certFromStr2.getSerialNumber().toString(16).toLowerCase());
            userCertDO2.setSignCertSn(insertUserCertInfo.getCertSn());
            try {
                userCertDO2.setCertDn(CertUtils.getSubjectByX509Cert(certFromStr2));
                this.userCertDao.insertUserCertInfo(userCertDO2);
            } catch (Exception e) {
                this.logger.info("手动处理manager层的插入异常");
                this.userCertDao.deleteUserCert(insertUserCertInfo.getId().longValue());
            }
        }
        return result;
    }

    private String getRAServiceDnName() {
        return CertUtils.getSubjectByX509Cert(CommonVariable.getRaServiceCert());
    }

    private String getCAServiceDnName() {
        return CertUtils.getSubjectByX509Cert(CommonVariable.getCaServiceCert());
    }
}
