package com.xdja.pki.controller.auth;

import com.xdja.pki.api.thirdApp.ThirdAppCertService;
import com.xdja.pki.common.bean.Result;
import com.xdja.pki.common.config.Cache;
import com.xdja.pki.common.enums.CertStatusEnum;
import com.xdja.pki.common.enums.ErrorEnum;
import com.xdja.pki.common.enums.KeyAlgEnum;
import com.xdja.pki.common.util.CertUtil;
import com.xdja.pki.common.vhsm.so.XdVhsmRsaCipher;
import com.xdja.pki.common.vhsm.so.XdVhsmSm2Cipher;
import com.xdja.pki.models.ThirdAppCertDO;
import java.security.cert.X509Certificate;
import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.web.servlet.ShiroHttpServletRequest;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;

@Aspect
@Component
/* loaded from: input_file:com/xdja/pki/controller/auth/OpenApiAuthSignAspect.class */
public class OpenApiAuthSignAspect {
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Resource
    private ThirdAppCertService thirdAppCertService;

    @Value("${client.offset.time}")
    private int offsetTime;

    @Around("@annotation(com.xdja.pki.controller.auth.OpenApiAuthSign)")
    public Object authAdmin(ProceedingJoinPoint proceedingJoinPoint) {
        try {
            ShiroHttpServletRequest shiroHttpServletRequest = (HttpServletRequestWrapper) RequestContextHolder.getRequestAttributes().getRequest();
            String header = shiroHttpServletRequest.getHeader("sn");
            String header2 = shiroHttpServletRequest.getHeader("timestamp");
            String header3 = shiroHttpServletRequest.getHeader("sign");
            String header4 = shiroHttpServletRequest.getHeader("signData");
            if (StringUtils.isBlank(header) || StringUtils.isBlank(header2) || StringUtils.isBlank(header3)) {
                this.logger.debug("通用审计验签失败，原因：请求参数非法 [sn={},timestamp={},sign={}]", new Object[]{header, header2, header3});
                return Result.failure(ErrorEnum.MISSING_REQUIRED_PARAMETERS);
            }
            Long valueOf = Long.valueOf(System.currentTimeMillis());
            Long valueOf2 = Long.valueOf(header2);
            if (valueOf.longValue() - valueOf2.longValue() > this.offsetTime * 60 * 1000) {
                this.logger.debug("通用审计验签失败，原因：客户端时间与服务器时间不一致,服务器时间戳[{}],客户机时间戳[{}]", valueOf, valueOf2);
                return Result.failure(ErrorEnum.CLIENT_TIME_AND_SERVER_DISACCORD);
            }
            ThirdAppCertDO thirdAppCertDO = (ThirdAppCertDO) Cache.THIRD_APP_CERT_INFO_CACHE.get(header);
            if (null == thirdAppCertDO) {
                return Result.failure(ErrorEnum.CERT_IS_NOT_EXISTED);
            }
            if (CertStatusEnum.NORMAL.value != thirdAppCertDO.getStatus().intValue()) {
                return CertStatusEnum.REVOKE.value == thirdAppCertDO.getStatus().intValue() ? Result.failure(ErrorEnum.CERT_STATUS_IS_REVOKED) : CertStatusEnum.EXPIRE.value == thirdAppCertDO.getStatus().intValue() ? Result.failure(ErrorEnum.CERT_STATUS_IS_EXPIRED) : Result.failure(ErrorEnum.CERT_STATUS_IS_ABNORMAL);
            }
            if (thirdAppCertDO.getNotAfterTime().getTime() < System.currentTimeMillis()) {
                return Result.failure(ErrorEnum.CERT_STATUS_IS_EXPIRED);
            }
            String convertSignData = convertSignData(header, Long.valueOf(header2));
            X509Certificate certFromBase64Str = CertUtil.getCertFromBase64Str(thirdAppCertDO.getSignCertData());
            if (KeyAlgEnum.RSA.type == thirdAppCertDO.getPublicKeyAlg().intValue() ? XdVhsmRsaCipher.rsaVerifySignWithSha256(header3, convertSignData, certFromBase64Str.getPublicKey()) : XdVhsmSm2Cipher.sm2VerifySign(header3, convertSignData, certFromBase64Str.getPublicKey())) {
                return proceedingJoinPoint.proceed(proceedingJoinPoint.getArgs());
            }
            this.logger.debug("开放接口操作审计验签失败，原因：证书验签失败。签名原文[{}],验签原文[{}],验签sn[{}],签名值[{}]", new Object[]{header4, convertSignData, certFromBase64Str.getSerialNumber().toString(16), header3});
            return Result.failure(ErrorEnum.VERIFY_OPEN_API_SIGN_FAIL);
        } catch (Throwable th) {
            this.logger.error("开放接口操作审计验签失败", th);
            return Result.failure(ErrorEnum.SERVER_INTERNAL_EXCEPTION);
        }
    }

    private String convertSignData(String str, Long l) {
        return Base64.toBase64String((str + ":" + l).getBytes());
    }
}
