package koal.usap.client.pep.util;

import com.koal.security.asn1.ObjectIdentifier;
import com.koal.security.pki.x509.Certificate;
import com.koal.security.pki.x509.CertificateList;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import koal.common.emengine.EMException;
import koal.common.emengine.HashAlgo;
import koal.common.emengine.util.EngineHelper;
import koal.security.gb.SM2Engine;
import koal.security.utils.Base64;
import koal.usap.client.exception.CertExceptionType;
import koal.usap.client.exception.VerifyFalseException;

/* loaded from: input_file:koal/usap/client/pep/util/CertCheckUtil.class */
public class CertCheckUtil {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: koal.usap.client.pep.util.CertCheckUtil$1, reason: invalid class name */
    /* loaded from: input_file:koal/usap/client/pep/util/CertCheckUtil$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$koal$common$emengine$HashAlgo = new int[HashAlgo.values().length];

        static {
            try {
                $SwitchMap$koal$common$emengine$HashAlgo[HashAlgo.SHA1.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$koal$common$emengine$HashAlgo[HashAlgo.SHA256.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public static int validateCert(Certificate certificate, Certificate certificate2, String str) throws Exception {
        if (!verifyByFather(certificate, certificate2)) {
            return -1;
        }
        if (!verifyValidTo(certificate)) {
            return -2;
        }
        if (isCertRevoked(str, certificate)) {
            return -3;
        }
        return !verifyValidFrom(certificate) ? -5 : 1;
    }

    public static boolean validateCert(Certificate certificate, Certificate certificate2) throws Exception {
        if (!verifyByFather(certificate, certificate2)) {
            throw new VerifyFalseException(CertExceptionType.CERT_PATH_ERROR);
        }
        if (!verifyValidTo(certificate)) {
            throw new VerifyFalseException(CertExceptionType.CERT_OUTDATE_ERROR);
        }
        if (verifyValidFrom(certificate)) {
            return true;
        }
        throw new VerifyFalseException(CertExceptionType.CERT_UNENFORCED_ERROR);
    }

    public static boolean verifyByFather(Certificate certificate, Certificate certificate2) throws Exception {
        byte[] encoded = certificate.getToBeSigned().getEncoded();
        byte[] bArr = (byte[]) certificate.getSignature().getValue();
        ObjectIdentifier algorithm = certificate.getToBeSignedSignature().getAlgorithm();
        PublicKey publicKey = certificate2.getPublicKey();
        HashAlgo digestMethod = EngineHelper.getDigestMethod(EngineHelper.getSigAlgoAliasByOid(algorithm));
        if (!(publicKey instanceof RSAPublicKey)) {
            return new SM2Engine().verify(publicKey, encoded, bArr);
        }
        switch (AnonymousClass1.$SwitchMap$koal$common$emengine$HashAlgo[digestMethod.ordinal()]) {
            case 1:
                return EngineHelper.sha1RSAVerify(publicKey, encoded, bArr);
            case 2:
                return EngineHelper.sha256RSAVerify(publicKey, encoded, bArr);
            default:
                throw new EMException("不支持使用RSA私钥进行SHA1和SHA256之外的签名算法");
        }
    }

    public static boolean verifyValidFrom(Certificate certificate) {
        return certificate.getValidFromValue().before(new Date());
    }

    public static boolean verifyValidTo(Certificate certificate) {
        return certificate.getValidToValue().after(new Date());
    }

    public static boolean isCertRevoked(String str, Certificate certificate) throws Exception {
        CertificateList certificateList = new CertificateList();
        certificateList.decode(Base64.decode(str));
        String certificateSerialNumber = certificate.getSerialNumber().toString();
        int componentCount = certificateList.getTbsCertList().getRevokedCertificates().getComponentCount();
        for (int i = 0; i < componentCount; i++) {
            if (certificateList.getTbsCertList().getRevokedCertificates().getComponent(i).getUserCertificate().toString().equalsIgnoreCase(certificateSerialNumber)) {
                return true;
            }
        }
        return false;
    }
}
