package com.xdja.pki.ca.openapi.api.aop;

import com.xdja.pki.ca.certmanager.dao.models.ManageCertDataDO;
import com.xdja.pki.ca.core.ca.util.gm.cert.CertUtil;
import com.xdja.pki.ca.core.common.ErrorEnum;
import com.xdja.pki.ca.core.common.Result;
import com.xdja.pki.ca.core.exception.ServiceException;
import com.xdja.pki.ca.openapi.service.v1.IRAOpenApiService;
import com.xdja.pki.ca.openapi.service.v1.bean.RAinfoRep;
import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.util.Strings;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.util.ContentCachingRequestWrapper;

@Aspect
@PropertySource({"classpath:extendedkeyusage.properties"})
@Component
@Order(1)
/* loaded from: input_file:WEB-INF/classes/com/xdja/pki/ca/openapi/api/aop/CAOpenApiAspect.class */
public class CAOpenApiAspect {
    private Logger logger = LoggerFactory.getLogger(getClass());
    private static String REQ_MEHTOD_GET = "GET";

    @Autowired
    private IRAOpenApiService RAOpenApiService;

    @Value("${ca-openapi.response.overtime}")
    private int openApiRespOverTime;

    @Pointcut("execution(* com.xdja.pki.ca.openapi.api.v1.*.*(..)) && !execution(* com.xdja.pki.ca.openapi.api.v1.*.*Test(..))")
    public void excutePointCut() {
    }

    @Around("excutePointCut()")
    public Object doAroundAdvice(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        String buildPostReqSignData;
        this.logger.debug("opeanapi请求拦截方法开始执行=====");
        ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        HttpServletRequestWrapper request = servletRequestAttributes.getRequest();
        HttpServletResponse response = servletRequestAttributes.getResponse();
        ContentCachingRequestWrapper contentCachingRequestWrapper = !(request instanceof ContentCachingRequestWrapper) ? (ContentCachingRequestWrapper) request.getRequest() : (ContentCachingRequestWrapper) request;
        String header = contentCachingRequestWrapper.getHeader("sn");
        String header2 = contentCachingRequestWrapper.getHeader("sign");
        String header3 = contentCachingRequestWrapper.getHeader("time");
        String remoteAddr = contentCachingRequestWrapper.getRemoteAddr();
        if (StringUtils.isBlank(header) || StringUtils.isBlank(header2) || StringUtils.isBlank(header3)) {
            return ErrorEnum.MISSING_REQUIRED_PARAMETERS.resp(response);
        }
        String method = contentCachingRequestWrapper.getMethod();
        Long valueOf = Long.valueOf(header3);
        if (System.currentTimeMillis() - valueOf.longValue() > this.openApiRespOverTime * 60 * 1000) {
            this.logger.error("openapi接口调用失败，客户端时间与服务器时间不一致，系统时间：[{}],请求时间：[{}]", Long.valueOf(System.currentTimeMillis()), valueOf);
            return ErrorEnum.CLIENT_TIME_AND_SERVER_DISACCORD.resp(response);
        }
        if (REQ_MEHTOD_GET.equals(method)) {
            String requestURI = contentCachingRequestWrapper.getRequestURI();
            this.logger.debug("openapi接口调用uri地址：[{}]", requestURI);
            this.logger.debug("reqSN:" + header);
            this.logger.debug("time:" + valueOf);
            this.logger.debug("uri:" + requestURI);
            buildPostReqSignData = OpenApiReqSignDataUtil.buildGetReqSignData(header, header3, requestURI);
        } else {
            byte[] contentAsByteArray = contentCachingRequestWrapper.getContentAsByteArray();
            this.logger.debug("reqSN：" + header);
            this.logger.debug("time：" + valueOf);
            this.logger.debug("bodyData：" + Base64.toBase64String(contentAsByteArray));
            buildPostReqSignData = OpenApiReqSignDataUtil.buildPostReqSignData(header, header3, contentAsByteArray);
        }
        this.logger.debug("openapi组装请求签名数据原文：" + buildPostReqSignData);
        this.logger.debug("openapi接收的sign：" + header2);
        try {
            RAinfoRep rAInfoBySN = this.RAOpenApiService.getRAInfoBySN(header);
            contentCachingRequestWrapper.setAttribute("raInfo", rAInfoBySN);
            if (remoteAddr.equals(rAInfoBySN.getIp())) {
                Result verifySign = verifySign(header, header2, buildPostReqSignData);
                return !verifySign.isSuccess() ? verifySign.getError().resp(response) : proceedingJoinPoint.proceed();
            }
            this.logger.error("openapi接口调用失败，请求IP地址错误,请求的IP地址为[{}],当前RA[" + rAInfoBySN.getName() + "]的IP地址为[{}]", remoteAddr, rAInfoBySN.getIp());
            return ErrorEnum.UNAUTHORIZED_REQUEST.resp(response);
        } catch (ServiceException e) {
            this.logger.error("ca-openapiAOP查询RA信息异常，", (Throwable) e);
            return ErrorEnum.RA_INFO_NOT_EXIST.resp(response);
        }
    }

    private Result verifySign(String str, String str2, String str3) throws IOException {
        Result result = null;
        try {
            result = this.RAOpenApiService.getRaServerCertByRaId(str);
        } catch (ServiceException e) {
            this.logger.error("查询ra服务器证书异常，", (Throwable) e);
        }
        if (!result.isSuccess()) {
            return result;
        }
        ManageCertDataDO manageCertDataDO = (ManageCertDataDO) result.getInfo();
        if (null == manageCertDataDO || StringUtils.isBlank(manageCertDataDO.getData())) {
            return Result.failure(ErrorEnum.CERT_DATA_NOT_EXIST);
        }
        X509Certificate certFromStr = CertUtil.getCertFromStr(manageCertDataDO.getData());
        if (certFromStr.getNotAfter().before(new Date())) {
            this.logger.error("ra服务器证书已过期,sn=[{}]", certFromStr.getSerialNumber());
            return Result.failure(ErrorEnum.CERT_ISSUE_STATUE_EXPIRED);
        }
        if (this.RAOpenApiService.verifySign(certFromStr.getSigAlgName(), certFromStr.getPublicKey(), Base64.decode(str3), Base64.decode(str2))) {
            this.logger.debug("openapi签名验签通过，sn=[{}]，sign=[{}]", str, str2);
            return Result.success();
        }
        this.logger.info("raServerCertSn:" + str);
        this.logger.info("publickeyStr:" + certFromStr.getPublicKey().toString());
        this.logger.info("publickey:" + Strings.fromByteArray(Hex.encode(SubjectPublicKeyInfo.getInstance(certFromStr.getPublicKey().getEncoded()).getPublicKeyData().getBytes())));
        this.logger.error("openapi签名数据验签失败");
        return Result.failure(ErrorEnum.VERIFY_SERVER_CERT_SIGN_FAIL);
    }
}
