package com.xdja.pki.service.socket;

import com.xdja.pki.api.cert.CertService;
import com.xdja.pki.api.crl.CrlService;
import com.xdja.pki.api.socket.SocketService;
import com.xdja.pki.common.bean.Result;
import com.xdja.pki.common.bean.extension.LdapOcspUrlInfo;
import com.xdja.pki.common.config.Cache;
import com.xdja.pki.common.enums.CaAlgInfoEnum;
import com.xdja.pki.common.enums.CertReqTypeEnum;
import com.xdja.pki.common.enums.CertStatusEnum;
import com.xdja.pki.common.enums.SocketRespTypeEnum;
import com.xdja.pki.common.enums.SystemEnum;
import com.xdja.pki.common.util.CertUtil;
import com.xdja.pki.common.util.P7bUtils;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/scms-service-impl-1.0-SNAPSHOT.jar:com/xdja/pki/service/socket/SocketServiceImpl.class */
public class SocketServiceImpl implements SocketService {
    Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    private CertService certService;

    @Autowired
    private CrlService crlService;

    @Override // com.xdja.pki.api.socket.SocketService
    public Result certQuery(CertReqTypeEnum certReqTypeEnum, String str) {
        String bigInteger;
        try {
            switch (certReqTypeEnum) {
                case BASE_64_CERT:
                    X509Certificate certFromBase64Str = getCertFromBase64Str(str);
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(certFromBase64Str);
                    if (!verify(arrayList)) {
                        return Result.socketFailure(SocketRespTypeEnum.CERT_IS_NOT_TRUST);
                    }
                    bigInteger = certFromBase64Str.getSerialNumber().toString(16);
                    break;
                case CERT_CHAIN:
                    List<X509Certificate> certsFromPem = CertUtil.getCertsFromPem(str.getBytes());
                    if (!verify(certsFromPem)) {
                        return Result.socketFailure(SocketRespTypeEnum.CERT_IS_NOT_TRUST);
                    }
                    bigInteger = certsFromPem.get(0).getSerialNumber().toString(16);
                    break;
                case CERT_DN:
                case TF_CARD:
                case USB_KEY:
                case SIM_CARD:
                case PCI_CARD:
                default:
                    throw new RuntimeException("不支持的请求类型" + certReqTypeEnum);
            }
            return verifyCertStatus(bigInteger, null, null);
        } catch (Exception e) {
            return Result.socketFailure(SocketRespTypeEnum.INNER_ERROR);
        }
    }

    @Override // com.xdja.pki.api.socket.SocketService
    public Result certVerify(CertReqTypeEnum certReqTypeEnum, String str) {
        try {
            this.logger.debug("网关进行证书在线验证:" + str);
            X509Certificate certFromBase64Str = getCertFromBase64Str(str);
            ArrayList arrayList = new ArrayList();
            arrayList.add(certFromBase64Str);
            if (!verify(arrayList)) {
                return Result.socketFailure(SocketRespTypeEnum.CERT_IS_NOT_TRUST);
            }
            Result verifyCertStatus = verifyCertStatus(certFromBase64Str.getSerialNumber().toString(16), null, null);
            this.logger.debug("网关进行证书在线验证结束:" + verifyCertStatus);
            return verifyCertStatus;
        } catch (Exception e) {
            e.printStackTrace();
            return Result.socketFailure(SocketRespTypeEnum.INNER_ERROR);
        }
    }

    public X509Certificate getCertFromBase64Str(String str) throws Exception {
        return (X509Certificate) CertificateFactory.getInstance("X509", "BC").generateCertificate(new ByteArrayInputStream(Base64.decode(str)));
    }

    @Override // com.xdja.pki.api.socket.SocketService
    public Result getCrl(int i) {
        return Result.socketSuccess(Cache.crl.get(LdapOcspUrlInfo.CRL_NAME + i + LdapOcspUrlInfo.CRL_NAME_TAIL));
    }

    @Override // com.xdja.pki.api.socket.SocketService
    public Result getCrl(int i, int i2) {
        this.logger.debug("网关进行获取crl，alg:" + i2);
        String updateCrl = this.crlService.getUpdateCrl(i, i2);
        this.logger.debug("网关进行获取crl结束，crl:" + updateCrl);
        return Result.socketSuccess(updateCrl);
    }

    @Override // com.xdja.pki.api.socket.SocketService
    public int computeFragmentationCountByAlg(int i) {
        return this.crlService.computeFragmentationCountByAlg(i);
    }

    private boolean verify(List<X509Certificate> list) throws Exception {
        List<X509Certificate> resolveCertChain = P7bUtils.resolveCertChain(Cache.caInfo.get(CaAlgInfoEnum.getCaAlgInfoEnum(SystemEnum.USER_SYSTEM, CertUtil.getCertKeyAlg(list.get(0).getPublicKey()).type)).getCertChain());
        for (int i = 0; i < list.size() - 1; i++) {
            try {
                list.get(i).verify(list.get(i + 1).getPublicKey());
            } catch (Exception e) {
                this.logger.error("证书链验签失败" + e.getMessage());
                return false;
            }
        }
        X509Certificate x509Certificate = list.get(list.size() - 1);
        for (X509Certificate x509Certificate2 : resolveCertChain) {
            if (x509Certificate.equals(x509Certificate2)) {
                return true;
            }
            if (x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN())) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    return true;
                } catch (Exception e2) {
                    this.logger.error("证书验签失败" + e2.getMessage());
                    return false;
                }
            }
        }
        return false;
    }

    private Result verifyCertStatus(String str, Integer num, String str2) throws Exception {
        if (!this.certService.queryCert(str, num, str2, null).isSuccess()) {
            return Result.socketFailure(SocketRespTypeEnum.CERT_IS_NOT_EXIT);
        }
        switch (CertStatusEnum.get(((Integer) ((Map) r0.getInfo()).get("status")).intValue())) {
            case NORMAL:
                return Result.socketSuccess(null);
            case REVOKE:
                return Result.socketFailure(SocketRespTypeEnum.CERT_IS_REVOKE);
            case EXPIRE:
                return Result.socketFailure(SocketRespTypeEnum.CERT_IS_EXPIRED);
            case FROZEN:
                return Result.socketFailure(SocketRespTypeEnum.CERT_IS_FREEZE);
            default:
                throw new RuntimeException("不支持的证书状态");
        }
    }
}
