package com.xdja.pki.ca.certmanager.service.userca;

import com.xdja.pki.ca.certmanager.dao.SubCaCertDao;
import com.xdja.pki.ca.certmanager.dao.models.SubCaCertDO;
import com.xdja.pki.ca.certmanager.service.crltemplate.CrlTemplateService;
import com.xdja.pki.ca.certmanager.service.task.TaskDataService;
import com.xdja.pki.ca.certmanager.service.template.TemplateService;
import com.xdja.pki.ca.certmanager.service.template.bean.TemplateInfoVO;
import com.xdja.pki.ca.certmanager.service.userca.bean.UpdateUserCaCertReq;
import com.xdja.pki.ca.certmanager.service.userca.bean.UpdateUserCaP10Req;
import com.xdja.pki.ca.certmanager.service.userca.bean.UserCaCertReq;
import com.xdja.pki.ca.certmanager.service.userca.bean.UserCaVO;
import com.xdja.pki.ca.certmanager.service.userca.bean.UserSubCaP10Req;
import com.xdja.pki.ca.certmanager.service.util.CertContentInfoUtil;
import com.xdja.pki.ca.certmanager.service.util.ExtensionUtil;
import com.xdja.pki.ca.certmanager.service.util.TemplateParamsUtil;
import com.xdja.pki.ca.core.Constants;
import com.xdja.pki.ca.core.ca.util.gm.cert.CertUtil;
import com.xdja.pki.ca.core.common.ErrorEnum;
import com.xdja.pki.ca.core.common.PageInfo;
import com.xdja.pki.ca.core.common.Result;
import com.xdja.pki.ca.core.configBasic.bean.CaPwdBean;
import com.xdja.pki.ca.core.enums.CertStatusEnum;
import com.xdja.pki.ca.core.enums.TemplateStatusEnum;
import com.xdja.pki.ca.core.exception.DAOException;
import com.xdja.pki.ca.core.exception.ServiceException;
import com.xdja.pki.ca.core.pkcs7.P7bUtils;
import com.xdja.pki.ca.core.util.CertUtils;
import com.xdja.pki.ca.core.util.DnUtil;
import com.xdja.pki.ca.core.util.FileUtils;
import com.xdja.pki.ca.core.util.json.JsonUtils;
import com.xdja.pki.ca.core.util.time.DateTimeUtil;
import com.xdja.pki.ca.core.util.time.IssueTimeUtil;
import com.xdja.pki.ca.hsm.manager.HsmManager;
import com.xdja.pki.ca.hsm.manager.bean.UserSubCaP10ReqDTO;
import com.xdja.pki.ca.ldap.service.vo.LdapOcspUrlVO;
import com.xdja.pki.ca.securitymanager.dao.CaCertDao;
import com.xdja.pki.ca.securitymanager.dao.CaDao;
import com.xdja.pki.ca.securitymanager.dao.CertSnDao;
import com.xdja.pki.ca.securitymanager.dao.dto.UserCaBaseDTO;
import com.xdja.pki.ca.securitymanager.dao.dto.UserCaDTO;
import com.xdja.pki.ca.securitymanager.dao.model.CaCertDO;
import com.xdja.pki.ca.securitymanager.dao.model.CaDO;
import com.xdja.pki.ca.securitymanager.service.configfile.ConfigFileService;
import com.xdja.pki.ca.securitymanager.service.vo.AlgTypeEnum;
import com.xdja.pki.ca.securitymanager.service.vo.BasicContrainsEnum;
import com.xdja.pki.ca.securitymanager.service.vo.CaInfoVO;
import com.xdja.pki.ca.securitymanager.service.vo.IssueCaBaseInfo;
import com.xdja.pki.ca.securitymanager.service.vo.OldAndNewDTO;
import com.xdja.pki.ca.securitymanager.service.vo.SignAlgTypeEnum;
import com.xdja.pki.core.utils.DateUtils;
import com.xdja.pki.gmssl.crypto.init.GMSSLPkiCryptoInit;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2KeyUtils;
import com.xdja.pki.gmssl.sdf.yunhsm.utils.GMSSLSancHsmUtils;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLCryptoType;
import com.xdja.pki.gmssl.x509.utils.bean.YunHsmExceptionEnum;
import java.io.File;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service
/* loaded from: input_file:com/xdja/pki/ca/certmanager/service/userca/UserCaServiceImpl.class */
public class UserCaServiceImpl implements UserCaService {

    @Autowired
    CaDao caDao;

    @Autowired
    CaCertDao caCertDao;

    @Autowired
    CertContentInfoUtil certContentInfoUtil;

    @Autowired
    TemplateService templateService;

    @Autowired
    HsmManager hsmManager;

    @Autowired
    CertSnDao certSnDao;

    @Autowired
    CrlTemplateService crlTemplateService;

    @Autowired
    ConfigFileService configFileService;

    @Autowired
    TaskDataService taskDataService;

    @Autowired
    UserCaService userCaService;

    @Autowired
    SubCaCertDao subCaCertDao;
    private Logger logger = LoggerFactory.getLogger(getClass());

    @Value("${save.private.key.hsm}")
    private int savePriKeyHsm = 0;

    public Result queryUserCaList(String str, String str2, Integer num, Integer num2) {
        try {
            PageInfo userCaList = this.caCertDao.getUserCaList(str, str2, num, num2);
            userCaList.setDatas(getUseVOListFromBaseDTOList((List) userCaList.getDatas()));
            return Result.success(userCaList);
        } catch (Exception e) {
            this.logger.error("分页获取用户CA列表失败", e);
            throw new ServiceException("分页获取用户CA列表失败", e);
        }
    }

    private List<UserCaVO> getUseVOListFromBaseDTOList(List<UserCaBaseDTO> list) {
        ArrayList arrayList = new ArrayList();
        for (UserCaBaseDTO userCaBaseDTO : list) {
            UserCaVO userCaVO = new UserCaVO();
            BeanUtils.copyProperties(userCaBaseDTO, userCaVO, new String[]{"certStatus"});
            if (StringUtils.isNotBlank(userCaBaseDTO.getNotAfterTime())) {
                if (DateTimeUtil.dateTimeStrToLong(userCaBaseDTO.getNotAfterTime()) >= DateTimeUtil.getCurrentTime().longValue()) {
                    userCaVO.setCertStatus(Integer.valueOf(CertStatusEnum.NORMAL.getValue()));
                } else {
                    userCaVO.setCertStatus(Integer.valueOf(CertStatusEnum.EXPIRE.getValue()));
                }
            }
            arrayList.add(userCaVO);
        }
        return arrayList;
    }

    @Transactional
    public Result genRootUserCa(UserCaCertReq userCaCertReq) {
        CaDO caByCaName = this.caDao.getCaByCaName(userCaCertReq.getUserCaName());
        if (caByCaName != null) {
            this.logger.info("用户CA名称已存在：{}", caByCaName.getName());
            return Result.failure(ErrorEnum.USER_CA_NAME_NOT_UNIQUE);
        }
        Result templateById = this.templateService.getTemplateById(Long.valueOf(userCaCertReq.getTemplateId()));
        if (!templateById.isSuccess()) {
            return Result.failure(ErrorEnum.TEMPLATE_NOT_EXIST);
        }
        TemplateInfoVO templateInfoVO = (TemplateInfoVO) templateById.getInfo();
        if (AlgTypeEnum.ECC.getValue() == templateInfoVO.getKeyAlg().intValue() && GMSSLCryptoType.SANC_HSM == GMSSLPkiCryptoInit.getCryptoType()) {
            this.logger.info("系统初始化-签发CA根证书失败，原因：根证书已经签发过");
            return Result.failure(ErrorEnum.UNSUPPORTED_ALGORITHM_EXCEPTION);
        }
        CaDO caDO = new CaDO();
        caDO.setName(userCaCertReq.getUserCaName());
        caDO.setBaseDn("");
        caDO.setType(Integer.valueOf(CaDO.CaTypeEnum.ROOT_CA.getValue()));
        caDO.setKeyAlg(templateInfoVO.getKeyAlg());
        caDO.setIsMaster(Integer.valueOf(CaDO.CaMasterEnum.NO.getValue()));
        caDO.setIssueCertType(templateInfoVO.getIssueCertType());
        caDO.setGmtCreate(new Date());
        caDO.setGmtModified(new Date());
        CaDO saveCaInfo = this.caDao.saveCaInfo(caDO);
        IssueCaBaseInfo issueCaBaseInfo = new IssueCaBaseInfo();
        BeanUtils.copyProperties(userCaCertReq, issueCaBaseInfo);
        issueCaBaseInfo.setIssue(userCaCertReq.getSubjectDn());
        issueCaBaseInfo.setCaCertPublishType(templateInfoVO.getIssueCertType().intValue());
        Long id = saveCaInfo.getId();
        Constants.CA_INFO.put(id, issueCaBaseInfo);
        Result genUserCaPublicKeyByCryptyDevice = this.hsmManager.genUserCaPublicKeyByCryptyDevice(userCaCertReq.getKeyIndex(), templateInfoVO.getKeyAlg(), templateInfoVO.getKeySize(), id, false);
        if (!genUserCaPublicKeyByCryptyDevice.isSuccess()) {
            this.caDao.deleteCaById(id.longValue());
            return genUserCaPublicKeyByCryptyDevice;
        }
        PublicKey publicKey = (PublicKey) genUserCaPublicKeyByCryptyDevice.getInfo();
        CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
        Result checkIssueCertParams = checkIssueCertParams(userCaCertReq.getSubjectDn(), templateInfoVO, caInfoVO, publicKey, userCaCertReq.getKeyIndex(), userCaCertReq.getKeyPwd());
        if (!checkIssueCertParams.isSuccess()) {
            this.logger.info("不符合自签发根证书条件,自签发根证书失败 {}", checkIssueCertParams.getError().getDesc());
            throw new ServiceException("不符合自签发根证书条件,自签发根证书失败");
        }
        try {
            Date date = new Date();
            Date correctTime = IssueTimeUtil.getCorrectTime(Long.valueOf(userCaCertReq.getPeriod()), templateInfoVO.getMaxValidity(), date);
            BigInteger maxSn = this.certSnDao.getMaxSn(date);
            LdapOcspUrlVO dirAndOcspUrl = this.crlTemplateService.getDirAndOcspUrl(maxSn, userCaCertReq.getSubjectDn(), caInfoVO, issueCaBaseInfo, 1, templateInfoVO.getId(), templateInfoVO.getCrlTempId(), templateInfoVO.getOpenCrl());
            Result validity = TemplateParamsUtil.validity(templateInfoVO, userCaCertReq.getParams());
            if (!validity.isSuccess()) {
                this.caDao.deleteCaById(id.longValue());
                this.logger.info("签发下级CA证书失败：缺少模板需要参数");
                return Result.failure(ErrorEnum.MISSING_REQUIRED_PARAMETERS);
            }
            List changeExtensionFormat = ExtensionUtil.changeExtensionFormat(templateInfoVO.getExtensions(), (Map) validity.getInfo(), publicKey, userCaCertReq.getSubjectDn(), dirAndOcspUrl, true);
            issueCaBaseInfo.setKeyIndex(userCaCertReq.getKeyIndex());
            issueCaBaseInfo.setKeyPwd(userCaCertReq.getKeyPwd());
            issueCaBaseInfo.setSubject(userCaCertReq.getSubjectDn());
            X509Certificate genRootX509Certificate = this.hsmManager.genRootX509Certificate(userCaCertReq.getSubjectDn(), maxSn, date, correctTime, publicKey, issueCaBaseInfo, changeExtensionFormat, templateInfoVO.getSignAlg());
            CaCertDO caCertDO = new CaCertDO();
            caCertDO.setCaId(id);
            caCertDO.setAfterTime(genRootX509Certificate.getNotAfter());
            caCertDO.setBeforeTime(genRootX509Certificate.getNotBefore());
            caCertDO.setCert(CertUtil.writeObject(genRootX509Certificate));
            caCertDO.setGmtCreate(new Date());
            caCertDO.setIsCurrent(Integer.valueOf(CaCertDO.CaCertCurrentEnum.VALID.getValue()));
            ArrayList arrayList = new ArrayList();
            arrayList.add(genRootX509Certificate);
            caCertDO.setCertChain(P7bUtils.createCertChainByCerts(arrayList));
            caCertDO.setIssue(CertUtil.getIssuerByX509Cert(genRootX509Certificate));
            caCertDO.setTemplateId(Long.valueOf(userCaCertReq.getTemplateId()));
            caCertDO.setPrivateKeySize(templateInfoVO.getKeySize());
            caCertDO.setSignAlg(templateInfoVO.getSignAlg());
            caCertDO.setPublicKeyAlg(templateInfoVO.getKeyAlg());
            caCertDO.setSn(genRootX509Certificate.getSerialNumber().toString(16));
            caCertDO.setSubject(CertUtil.getSubjectByX509Cert(genRootX509Certificate));
            caCertDO.setStatus(1);
            caCertDO.setKeyIndex(userCaCertReq.getKeyIndex());
            caCertDO.setKeyPwd(this.configFileService.buildEncOrDecDate(true, userCaCertReq.getKeyPwd()));
            this.caCertDao.save(caCertDO);
            if (issueCaBaseInfo.getTempPrivateKey() != null) {
                this.logger.info("============保存私钥信息============" + this.savePriKeyHsm);
                this.hsmManager.saveUserCaCertPrivateKey(id, genRootX509Certificate, issueCaBaseInfo.getTempPrivateKey(), this.savePriKeyHsm);
            }
            Constants.CA_INFO.remove(id);
            this.taskDataService.savePublishCert(caCertDO.getId(), (Long) null, 3, templateInfoVO.getIssueCertType());
            this.taskDataService.saveSyncStatusCert(caCertDO.getId(), (Long) null, 5, Integer.valueOf(CertStatusEnum.NORMAL.getValue()), (Integer) null, new Date());
            return Result.success();
        } catch (Exception e) {
            throw new ServiceException("签发CA根证书失败", e);
        }
    }

    @Transactional
    public Result updateRootUserCa(Long l, UpdateUserCaCertReq updateUserCaCertReq) {
        IssueCaBaseInfo issueCaBaseInfo;
        this.logger.info("开始执行用户CA证书更新操作：userCaCertId:{}", l);
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            Long caId = caCertById.getCaId();
            this.logger.info("开始执行用户CA证书更新操作：caId:{},sn{}", caId, caCertById.getSn());
            if (!this.caCertDao.isRootCa(caCertById.getSn(), Constants.ADMIN_CA_ID).booleanValue()) {
                this.logger.info("当前CA不是根用户CA sn为{}", caCertById.getSn());
                return Result.failure(ErrorEnum.CURRENT_CA_IS_NOT_ROOT_USER_CA_CERT);
            }
            Result templateById = this.templateService.getTemplateById(caCertById.getTemplateId());
            if (!templateById.isSuccess()) {
                return Result.failure(ErrorEnum.TEMPLATE_NOT_EXIST);
            }
            TemplateInfoVO templateInfoVO = (TemplateInfoVO) templateById.getInfo();
            if (null == templateInfoVO) {
                this.logger.info("查询模板信息结果：模板不存在[{}]", caCertById.getTemplateId());
                return Result.failure(ErrorEnum.TEMPLATE_NOT_EXIST);
            }
            if (TemplateStatusEnum.NORMAL.getValue() != templateInfoVO.getStatus().intValue()) {
                this.logger.info("查询模板信息结果：模板状态不正常，模板状态为[{}]", templateInfoVO.getStatus());
                return Result.failure(ErrorEnum.TEMPLATE_STATUS_IS_STOP);
            }
            OldAndNewDTO oldAndNewDTO = new OldAndNewDTO();
            if (Constants.CA_INFO.get(caId) == null) {
                Result issueUserCaBaseInfoByCaId = this.userCaService.getIssueUserCaBaseInfoByCaId(caId);
                if (!issueUserCaBaseInfoByCaId.isSuccess()) {
                    return issueUserCaBaseInfoByCaId;
                }
                issueCaBaseInfo = (IssueCaBaseInfo) issueUserCaBaseInfoByCaId.getInfo();
                Constants.CA_INFO.put(caId, issueCaBaseInfo);
            } else {
                issueCaBaseInfo = (IssueCaBaseInfo) Constants.CA_INFO.get(caId);
            }
            this.logger.debug("根证书【更新前】缓存数据==={}", issueCaBaseInfo.toString());
            oldAndNewDTO.setOldSubject(issueCaBaseInfo.getSubject());
            oldAndNewDTO.setOldCaPwdBean(new CaPwdBean(caCertById.getKeyIndex(), caCertById.getKeyPwd()));
            oldAndNewDTO.setOldCertAfterTime(caCertById.getAfterTime());
            oldAndNewDTO.setOldCertBeforeTime(caCertById.getBeforeTime());
            oldAndNewDTO.setOldPrivateKey(issueCaBaseInfo.getPrivateKey());
            oldAndNewDTO.setOldPublicKey(issueCaBaseInfo.getPublicKey());
            CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
            if (null == caInfoVO || StringUtils.isBlank(caInfoVO.getBaseDn())) {
                this.logger.info("管理CA为空，未查到CA基本信息");
                return Result.failure(ErrorEnum.CA_BASEINFO_GET_FAIL);
            }
            String subjectDn = updateUserCaCertReq.getSubjectDn();
            if (!subjectDn.toLowerCase().endsWith(caInfoVO.getBaseDn().toLowerCase())) {
                this.logger.info("更新CA根证书失败：DN中的baseDn不正确[{}]", subjectDn);
                return Result.failure(ErrorEnum.BASEDN_ERROR);
            }
            try {
                DnUtil.getRFC4519X500Name(subjectDn);
                oldAndNewDTO.setNewSubject(subjectDn);
                Date date = new Date();
                Integer period = updateUserCaCertReq.getPeriod();
                if (period.intValue() > templateInfoVO.getMaxValidity().intValue()) {
                    this.logger.info("延期天数超过模板最大有效期");
                    return Result.failure(ErrorEnum.TIME_BEYOND_VALIDITY_ERROR);
                }
                Date date2 = new Date(date.getTime() + (period.intValue() * 86400000));
                oldAndNewDTO.setNewCertBeforeTime(date);
                oldAndNewDTO.setNewCertAfterTime(date2);
                this.logger.debug("更新证书的生效时间:{} 失效时间:{} 有效期天数:{}", new Object[]{DateTimeUtil.dateToStr(date), DateTimeUtil.dateToStr(date2), period});
                if (!updateUserCaCertReq.getUpdateKey().booleanValue() && updateUserCaCertReq.getKeyIndex() == null) {
                    this.logger.info("==============不更新密钥=================");
                    issueCaBaseInfo.setTempPrivateKey(issueCaBaseInfo.getPrivateKey());
                    oldAndNewDTO.setNewPublicKey(issueCaBaseInfo.getPublicKey());
                    oldAndNewDTO.setNewPrivateKey(issueCaBaseInfo.getPrivateKey());
                    oldAndNewDTO.setNewCaPwdBean(new CaPwdBean(caCertById.getKeyIndex(), this.configFileService.buildEncOrDecDate(false, caCertById.getKeyPwd())));
                } else if (updateUserCaCertReq.getKeyIndex() != null) {
                    this.logger.info("==============更新密钥 硬件=================");
                    if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue() && StringUtils.isNotBlank(updateUserCaCertReq.getKeyPwd())) {
                        if (!GMSSLSM2KeyUtils.getPrivateKeyAccessRightFromYunHsm(updateUserCaCertReq.getKeyIndex().intValue(), updateUserCaCertReq.getKeyPwd())) {
                            this.logger.error("更新根证书失败：信大捷安密码机两码没有访问权限[{}]", updateUserCaCertReq);
                            return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
                        }
                        CaPwdBean caPwdBean = new CaPwdBean(updateUserCaCertReq.getKeyIndex(), updateUserCaCertReq.getKeyPwd());
                        try {
                            PublicKey signPublicKeyByHsm = this.hsmManager.getSignPublicKeyByHsm(caPwdBean.getKeyIndex(), issueCaBaseInfo.getPublicKeyAlg());
                            oldAndNewDTO.setNewCaPwdBean(caPwdBean);
                            oldAndNewDTO.setNewPublicKey(signPublicKeyByHsm);
                        } catch (Exception e) {
                            this.logger.error("密码机索引不符合需要的密钥算法", e);
                            return Result.failure(ErrorEnum.HSM_INDEX_NOT_FORMAT_KEY_ALG);
                        }
                    } else {
                        if (Constants.CRYPT_DEVICE_TYPE.intValue() != Constants.CRYPT_DEVICE_SWXA_HSM.intValue()) {
                            this.logger.error("请求参数错误{}", updateUserCaCertReq.toString());
                            return Result.failure(ErrorEnum.ILLEGAL_REQUEST_PARAMETER);
                        }
                        if (YunHsmExceptionEnum.NORMAL.id != GMSSLSancHsmUtils.testConnect().id) {
                            this.logger.error("更新根证书失败：获取三未信安密码机异常[{}]", updateUserCaCertReq);
                            return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
                        }
                        CaPwdBean caPwdBean2 = new CaPwdBean(updateUserCaCertReq.getKeyIndex(), updateUserCaCertReq.getKeyPwd());
                        try {
                            PublicKey signPublicKeyByHsm2 = this.hsmManager.getSignPublicKeyByHsm(caPwdBean2.getKeyIndex(), issueCaBaseInfo.getPublicKeyAlg());
                            oldAndNewDTO.setNewCaPwdBean(caPwdBean2);
                            oldAndNewDTO.setNewPublicKey(signPublicKeyByHsm2);
                        } catch (Exception e2) {
                            this.logger.error("密码机索引不符合需要的密钥算法", e2);
                            return Result.failure(ErrorEnum.HSM_INDEX_NOT_FORMAT_KEY_ALG);
                        }
                    }
                } else {
                    this.logger.info("==============更新密钥 软件=================");
                    PublicKey genUserCaPublicKeyByBc = this.hsmManager.genUserCaPublicKeyByBc(caId, templateInfoVO.getKeyAlg(), templateInfoVO.getKeySize(), true);
                    oldAndNewDTO.setNewPrivateKey(issueCaBaseInfo.getTempPrivateKey());
                    oldAndNewDTO.setNewPublicKey(genUserCaPublicKeyByBc);
                    oldAndNewDTO.setNewCaPwdBean(new CaPwdBean(caCertById.getKeyIndex(), this.configFileService.buildEncOrDecDate(false, caCertById.getKeyPwd())));
                }
                try {
                    completeNewWithOldUserCaCert(templateInfoVO, oldAndNewDTO, issueCaBaseInfo, caCertById);
                    BigInteger maxSn = this.certSnDao.getMaxSn(new Date());
                    try {
                        issueCaBaseInfo.setPublicKey(oldAndNewDTO.getNewPublicKey());
                        issueCaBaseInfo.setPrivateKey(oldAndNewDTO.getNewPrivateKey());
                        issueCaBaseInfo.setKeyIndex(oldAndNewDTO.getNewCaPwdBean().getKeyIndex());
                        issueCaBaseInfo.setKeyPwd(oldAndNewDTO.getNewCaPwdBean().getPrivateKeyPin());
                        issueCaBaseInfo.setSubject(oldAndNewDTO.getNewSubject());
                        X509Certificate genRootX509Certificate = this.hsmManager.genRootX509Certificate(updateUserCaCertReq.getSubjectDn(), maxSn, date, date2, oldAndNewDTO.getNewPublicKey(), issueCaBaseInfo, ExtensionUtil.updateExtension(CertUtil.genExtensions(CertUtils.getCertFromStr(caCertById.getCert())), this.crlTemplateService.getDirAndOcspUrl(maxSn, updateUserCaCertReq.getSubjectDn(), caInfoVO, issueCaBaseInfo, 1, templateInfoVO.getId(), templateInfoVO.getCrlTempId(), templateInfoVO.getOpenCrl()), oldAndNewDTO.getNewSubject(), oldAndNewDTO.getNewPublicKey()), templateInfoVO.getSignAlg());
                        try {
                            completeOldWithNewUserCaCert(templateInfoVO, oldAndNewDTO, issueCaBaseInfo, caCertById);
                            this.logger.info("将旧的根CA证书{}的当前状态更新为不在使用", caCertById.getSn());
                            this.caCertDao.setIsCurrent(l, CaCertDO.CaCertCurrentEnum.INVALID.getValue());
                            ArrayList arrayList = new ArrayList();
                            arrayList.add(genRootX509Certificate);
                            caCertById.setCert(CertUtil.writeObject(genRootX509Certificate));
                            caCertById.setCertChain(P7bUtils.createCertChainByCerts(arrayList));
                            caCertById.setKeyIndex(oldAndNewDTO.getNewCaPwdBean().getKeyIndex());
                            caCertById.setKeyPwd(this.configFileService.buildEncOrDecDate(true, oldAndNewDTO.getNewCaPwdBean().getPrivateKeyPin()));
                            caCertById.setSubject(oldAndNewDTO.getNewSubject());
                            caCertById.setIssue(oldAndNewDTO.getNewSubject());
                            caCertById.setCaId(caId);
                            caCertById.setSn(maxSn.toString(16));
                            caCertById.setOldCertId(l);
                            caCertById.setIsCurrent(Integer.valueOf(CaCertDO.CaCertCurrentEnum.VALID.getValue()));
                            caCertById.setAfterTime(date2);
                            caCertById.setBeforeTime(date);
                            caCertById.setGmtCreate(date);
                            this.caCertDao.save(caCertById);
                            if (issueCaBaseInfo.getTempPrivateKey() != null) {
                                this.hsmManager.saveUserCaCertPrivateKey(caId, genRootX509Certificate, issueCaBaseInfo.getTempPrivateKey(), this.savePriKeyHsm);
                                FileUtils.deleteFileByPath(Constants.CA_CERT_PRIVATE_PATH + "/" + caId + "/tmpPrivate.key");
                            }
                            Constants.CA_INFO.remove(caId);
                            this.taskDataService.savePublishCert(caCertById.getId(), (Long) null, 3, templateInfoVO.getIssueCertType());
                            this.taskDataService.saveSyncStatusCert(caCertById.getId(), (Long) null, 5, Integer.valueOf(CertStatusEnum.NORMAL.getValue()), (Integer) null, new Date());
                            return Result.success();
                        } catch (Exception e3) {
                            this.logger.error("构造NewWithOld证书异常", e3);
                            return Result.failure(ErrorEnum.BUILD_NEWWITHOLD_CERT_EXCEPTION);
                        }
                    } catch (Exception e4) {
                        throw new ServiceException("更新CA根证书失败", e4);
                    }
                } catch (Exception e5) {
                    this.logger.error("构造NewWithOld证书异常", e5);
                    return Result.failure(ErrorEnum.BUILD_NEWWITHOLD_CERT_EXCEPTION);
                }
            } catch (Exception e6) {
                this.logger.debug("需要更新的证书DN不符合X500规范[{}]", subjectDn);
                return Result.failure(ErrorEnum.DN_FORMAT_FAIL);
            }
        } catch (DAOException e7) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    private void completeOldWithNewUserCaCert(TemplateInfoVO templateInfoVO, OldAndNewDTO oldAndNewDTO, IssueCaBaseInfo issueCaBaseInfo, CaCertDO caCertDO) throws Exception {
        Date date = new Date();
        CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
        BigInteger maxSn = this.certSnDao.getMaxSn(date);
        caCertDO.setOldWithNewCert(CertUtil.writeObject(this.hsmManager.genX509Certificate(oldAndNewDTO.getOldSubject(), maxSn, oldAndNewDTO.getOldCertBeforeTime(), oldAndNewDTO.getNewCertAfterTime().getTime() < oldAndNewDTO.getOldCertAfterTime().getTime() ? oldAndNewDTO.getNewCertAfterTime() : oldAndNewDTO.getOldCertAfterTime(), (CaInfoVO) null, issueCaBaseInfo, oldAndNewDTO.getOldPublicKey(), ExtensionUtil.updateExtension(CertUtil.genExtensions(CertUtils.getCertFromStr(caCertDO.getCert())), this.crlTemplateService.getDirAndOcspUrl(maxSn, oldAndNewDTO.getOldSubject(), caInfoVO, issueCaBaseInfo, 1, templateInfoVO.getId(), templateInfoVO.getCrlTempId(), templateInfoVO.getOpenCrl()), oldAndNewDTO.getOldSubject(), oldAndNewDTO.getOldPublicKey()), templateInfoVO.getSignAlg())));
    }

    private void completeNewWithOldUserCaCert(TemplateInfoVO templateInfoVO, OldAndNewDTO oldAndNewDTO, IssueCaBaseInfo issueCaBaseInfo, CaCertDO caCertDO) throws Exception {
        Date date = new Date();
        CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
        BigInteger maxSn = this.certSnDao.getMaxSn(date);
        caCertDO.setNewWithOldCert(CertUtil.writeObject(this.hsmManager.genX509Certificate(oldAndNewDTO.getNewSubject(), maxSn, oldAndNewDTO.getNewCertBeforeTime(), oldAndNewDTO.getNewCertAfterTime().getTime() < oldAndNewDTO.getOldCertAfterTime().getTime() ? oldAndNewDTO.getNewCertAfterTime() : oldAndNewDTO.getOldCertAfterTime(), (CaInfoVO) null, issueCaBaseInfo, oldAndNewDTO.getNewPublicKey(), ExtensionUtil.updateExtension(CertUtil.genExtensions(CertUtils.getCertFromStr(caCertDO.getCert())), this.crlTemplateService.getDirAndOcspUrl(maxSn, oldAndNewDTO.getNewSubject(), caInfoVO, issueCaBaseInfo, 1, templateInfoVO.getId(), templateInfoVO.getCrlTempId(), templateInfoVO.getOpenCrl()), oldAndNewDTO.getNewSubject(), oldAndNewDTO.getNewPublicKey()), templateInfoVO.getSignAlg())));
    }

    @Transactional
    public Result genSubUserCaP10(UserSubCaP10Req userSubCaP10Req) {
        CaDO caByCaName = this.caDao.getCaByCaName(userSubCaP10Req.getUserCaName());
        if (caByCaName != null) {
            this.logger.info("用户CA名称已存在：{}", caByCaName.getName());
            return Result.failure(ErrorEnum.USER_CA_NAME_NOT_UNIQUE);
        }
        try {
            DnUtil.getRFC4519X500Name(userSubCaP10Req.getSubjectDn());
            if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue() && !GMSSLSM2KeyUtils.getPrivateKeyAccessRightFromYunHsm(userSubCaP10Req.getKeyIndex().intValue(), userSubCaP10Req.getKeyPwd())) {
                this.logger.error("生成P10失败：信大捷安密码机两码没有访问权限[{}]", userSubCaP10Req);
                return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
            }
            if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_SWXA_HSM.intValue() && GMSSLSancHsmUtils.testConnect().id != YunHsmExceptionEnum.NORMAL.id) {
                this.logger.error("生成P10失败：连接三未信安密码机异常[{}]", userSubCaP10Req);
                return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
            }
            try {
                CaDO caDO = new CaDO();
                caDO.setName(userSubCaP10Req.getUserCaName());
                caDO.setBaseDn("");
                caDO.setType(Integer.valueOf(CaDO.CaTypeEnum.SUB_CA.getValue()));
                caDO.setKeyAlg(userSubCaP10Req.getPublicKeyAlg());
                caDO.setIsMaster(Integer.valueOf(CaDO.CaMasterEnum.NO.getValue()));
                caDO.setGmtCreate(new Date());
                CaDO saveCaInfo = this.caDao.saveCaInfo(caDO);
                Long id = saveCaInfo.getId();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("子用户CA ID {}", id);
                    this.logger.debug("子用户CA 信息 {}", JsonUtils.object2Json(saveCaInfo));
                }
                CaCertDO caCertDO = new CaCertDO();
                caCertDO.setCaId(id);
                caCertDO.setSubject(userSubCaP10Req.getSubjectDn());
                caCertDO.setSignAlg(String.valueOf(userSubCaP10Req.getSignAlg()));
                caCertDO.setPrivateKeySize(userSubCaP10Req.getPrivateKeySize());
                caCertDO.setPublicKeyAlg(userSubCaP10Req.getPublicKeyAlg());
                caCertDO.setIsCurrent(Integer.valueOf(CaCertDO.CaCertCurrentEnum.VALID.getValue()));
                caCertDO.setStatus(0);
                if (null != userSubCaP10Req.getKeyIndex()) {
                    caCertDO.setKeyIndex(userSubCaP10Req.getKeyIndex());
                }
                if (StringUtils.isNotEmpty(userSubCaP10Req.getKeyPwd())) {
                    caCertDO.setKeyPwd(this.configFileService.buildEncOrDecDate(true, userSubCaP10Req.getKeyPwd()));
                }
                caCertDO.setGmtCreate(new Date());
                CaCertDO save = this.caCertDao.save(caCertDO);
                Long id2 = save.getId();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("子用户CA Cert ID {}", id2);
                }
                UserSubCaP10ReqDTO userSubCaP10ReqDTO = new UserSubCaP10ReqDTO();
                BeanUtils.copyProperties(userSubCaP10Req, userSubCaP10ReqDTO);
                Result genOrUpdateSubUserCaP10 = this.hsmManager.genOrUpdateSubUserCaP10(userSubCaP10ReqDTO, id, false);
                if (!genOrUpdateSubUserCaP10.isSuccess()) {
                    this.caCertDao.deleteCaCertByCertId(save.getId().longValue());
                    this.caDao.deleteCaById(id.longValue());
                    return genOrUpdateSubUserCaP10;
                }
                FileUtils.save(Base64.toBase64String(((PKCS10CertificationRequest) genOrUpdateSubUserCaP10.getInfo()).getEncoded()), (Constants.CA_CERT_PRIVATE_PATH + "/" + id) + "/SubCa.p10");
                HashMap hashMap = new HashMap();
                hashMap.put("p10Name", "SubCa_" + id);
                return Result.success(hashMap);
            } catch (Exception e) {
                this.logger.error("生成子用户CA的p10申请书失败", e);
                throw new ServiceException("生成子用户CA的p10申请书失败", e);
            }
        } catch (Exception e2) {
            this.logger.error("生成P10失败: DN不符合X500规范[{}]", userSubCaP10Req.getSubjectDn());
            return Result.failure(ErrorEnum.DN_FORMAT_FAIL);
        }
    }

    @Transactional
    public Result updateSubUserCaGenP10(Long l, UpdateUserCaP10Req updateUserCaP10Req) {
        updateUserCaP10Req.setUpdateKey(true);
        CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
        Long caId = caCertById.getCaId();
        UserSubCaP10ReqDTO userSubCaP10ReqDTO = new UserSubCaP10ReqDTO();
        if (StringUtils.isNotEmpty(updateUserCaP10Req.getSubjectDn())) {
            try {
                DnUtil.getRFC4519X500Name(updateUserCaP10Req.getSubjectDn());
                userSubCaP10ReqDTO.setSubjectDn(updateUserCaP10Req.getSubjectDn());
            } catch (Exception e) {
                this.logger.error("生成P10失败: DN不符合X500规范[{}]", updateUserCaP10Req.getSubjectDn());
                return Result.failure(ErrorEnum.DN_FORMAT_FAIL);
            }
        } else {
            userSubCaP10ReqDTO.setSubjectDn(caCertById.getSubject());
        }
        if (!Constants.CRYPT_DEVICE_TYPE.equals(Constants.CRYPT_DEVICE_BC)) {
            if (updateUserCaP10Req.isUpdateKey()) {
                if (null != updateUserCaP10Req.getKeyIndex()) {
                    if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue()) {
                        if (!GMSSLSM2KeyUtils.getPrivateKeyAccessRightFromYunHsm(updateUserCaP10Req.getKeyIndex().intValue(), updateUserCaP10Req.getKeyPwd())) {
                            this.logger.error("生成P10失败：信大捷安密码机两码没有访问权限[{}]", updateUserCaP10Req);
                            return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
                        }
                        caCertById.setKeyIndex(updateUserCaP10Req.getKeyIndex());
                        caCertById.setKeyPwd(this.configFileService.buildEncOrDecDate(true, updateUserCaP10Req.getKeyPwd()));
                        userSubCaP10ReqDTO.setKeyIndex(updateUserCaP10Req.getKeyIndex());
                        userSubCaP10ReqDTO.setKeyPwd(updateUserCaP10Req.getKeyPwd());
                    }
                    if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_SWXA_HSM.intValue()) {
                        if (GMSSLSancHsmUtils.testConnect().id != YunHsmExceptionEnum.NORMAL.id) {
                            this.logger.error("生成P10失败：连接三未信安密码机异常[{}]", updateUserCaP10Req);
                            return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
                        }
                        caCertById.setKeyIndex(updateUserCaP10Req.getKeyIndex());
                        userSubCaP10ReqDTO.setKeyIndex(updateUserCaP10Req.getKeyIndex());
                    }
                }
                CaPwdBean caPwdBean = new CaPwdBean();
                caPwdBean.setKeyIndex(updateUserCaP10Req.getKeyIndex());
                if (StringUtils.isNotEmpty(updateUserCaP10Req.getKeyPwd())) {
                    caPwdBean.setPrivateKeyPin(updateUserCaP10Req.getKeyPwd());
                }
                try {
                    FileUtils.save(JsonUtils.object2Json(caPwdBean), Constants.CA_CERT_PRIVATE_PATH + "/" + caId + "/tempKey.dat");
                } catch (Exception e2) {
                    this.logger.error("保存公私钥失败", e2);
                    throw new ServiceException("保存公私钥失败", e2);
                }
            } else {
                userSubCaP10ReqDTO.setKeyIndex(caCertById.getKeyIndex());
                userSubCaP10ReqDTO.setKeyPwd(caCertById.getKeyPwd());
            }
        }
        try {
            userSubCaP10ReqDTO.setUpdateKey(updateUserCaP10Req.isUpdateKey());
            userSubCaP10ReqDTO.setCert(caCertById.getCert());
            userSubCaP10ReqDTO.setPrivateKeySize(caCertById.getPrivateKeySize());
            userSubCaP10ReqDTO.setPublicKeyAlg(caCertById.getPublicKeyAlg());
            userSubCaP10ReqDTO.setSignAlg(Integer.valueOf(Integer.parseInt(caCertById.getSignAlg())));
            Result genOrUpdateSubUserCaP10 = this.hsmManager.genOrUpdateSubUserCaP10(userSubCaP10ReqDTO, caId, true);
            if (!genOrUpdateSubUserCaP10.isSuccess()) {
                return genOrUpdateSubUserCaP10;
            }
            FileUtils.save(Base64.toBase64String(((PKCS10CertificationRequest) genOrUpdateSubUserCaP10.getInfo()).getEncoded()), (Constants.CA_CERT_PRIVATE_PATH + "/" + caId) + "/SubCa.p10");
            HashMap hashMap = new HashMap();
            hashMap.put("p10Name", "SubCa_" + caId);
            return Result.success(hashMap);
        } catch (Exception e3) {
            this.logger.error("更新子用户CA的p10申请书失败", e3);
            throw new ServiceException("更新子用户CA的p10申请书失败", e3);
        }
    }

    public Result downloadSubCaP10(String str) {
        String[] split = str.split("_");
        if (split.length == 2) {
            return Result.success(FileUtils.readByBinary(Constants.CA_CERT_PRIVATE_PATH + "/" + split[1] + "/SubCa.p10"));
        }
        this.logger.error("P10文件名格式错误{}", str);
        return Result.failure(ErrorEnum.ILLEGAL_REQUEST_PARAMETER);
    }

    @Transactional
    public Result uploadUserCaCert(Long l, byte[] bArr) {
        IssueCaBaseInfo issueCaBaseInfo;
        PublicKey publicKeyFromP10;
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            Long caId = caCertById.getCaId();
            if (!this.caCertDao.isSubCa(l).booleanValue()) {
                this.logger.info("当前CA不是子用户CA");
                return Result.failure(ErrorEnum.CURRENT_CA_IS_NOT_SUB_USER_CA_CERT);
            }
            Result verifyCertChain = CertUtils.verifyCertChain(bArr);
            if (!verifyCertChain.isSuccess()) {
                return verifyCertChain;
            }
            X509Certificate x509Certificate = (X509Certificate) ((List) verifyCertChain.getInfo()).get(0);
            CaInfoVO caInfoVO = (CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID);
            try {
                String subjectByX509Cert = CertUtil.getSubjectByX509Cert(x509Certificate);
                if (!subjectByX509Cert.toLowerCase().startsWith("cn")) {
                    this.logger.error("导入证书失败：DN不是以CN开头[{}]", subjectByX509Cert);
                    return Result.failure(ErrorEnum.CERT_DN_CN_IS_NOT_FIRST);
                }
                if (!subjectByX509Cert.toLowerCase().endsWith(caInfoVO.getBaseDn().toLowerCase())) {
                    this.logger.error("导入证书失败：DN中的baseDn不正确[{}]", subjectByX509Cert);
                    return Result.failure(ErrorEnum.BASEDN_ERROR);
                }
                if (x509Certificate.getBasicConstraints() == BasicContrainsEnum.NOT_IS_CA.getKey()) {
                    this.logger.info("导入证书链失败：证书不是CA证书");
                    return Result.failure(ErrorEnum.IS_NOT_CA_CERT);
                }
                if (Constants.CA_INFO.get(caId) == null) {
                    Result issueUserCaBaseInfoByCaId = this.userCaService.getIssueUserCaBaseInfoByCaId(caId);
                    if (!issueUserCaBaseInfoByCaId.isSuccess()) {
                        return issueUserCaBaseInfoByCaId;
                    }
                    issueCaBaseInfo = (IssueCaBaseInfo) issueUserCaBaseInfoByCaId.getInfo();
                    Constants.CA_INFO.put(caId, issueCaBaseInfo);
                } else {
                    issueCaBaseInfo = (IssueCaBaseInfo) Constants.CA_INFO.get(caId);
                }
                this.logger.info("用户子CA【更新前】缓存信息:{}", issueCaBaseInfo.toString());
                CaCertDO caCertByCaId = this.caCertDao.getCaCertByCaId(caId.longValue());
                String cert = caCertByCaId.getCert();
                if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_BC.intValue()) {
                    try {
                        publicKeyFromP10 = CertUtil.getPublicKeyFromP10(new String(FileUtils.readByBinary(Constants.CA_CERT_PRIVATE_PATH + "/" + caId + "/SubCa.p10")));
                    } catch (Exception e) {
                        this.logger.error("解析P10异常", e);
                        return Result.failure(ErrorEnum.P10_FORMAT_ERROR);
                    }
                } else if (cert == null) {
                    try {
                        publicKeyFromP10 = this.hsmManager.getSignPublicKeyByHsm(caCertById.getKeyIndex(), caCertById.getPublicKeyAlg());
                    } catch (Exception e2) {
                        this.logger.error("密码机索引不符合需要的密钥算法", e2);
                        return Result.failure(ErrorEnum.HSM_INDEX_NOT_FORMAT_KEY_ALG);
                    }
                } else {
                    String str = Constants.CA_CERT_PRIVATE_PATH + "/" + caId + "/tempKey.dat";
                    if (!new File(str).exists()) {
                        this.logger.info("不存在更新密钥索引文件信息");
                        return Result.failure(ErrorEnum.CANNOT_GET_KEY_INDEX_TO_UPDATE_SUBCA);
                    }
                    CaPwdBean caPwdBean = (CaPwdBean) JsonUtils.json2Object(new String(FileUtils.readByBinary(str)), CaPwdBean.class);
                    try {
                        publicKeyFromP10 = this.hsmManager.getSignPublicKeyByHsm(caPwdBean.getKeyIndex(), caCertById.getPublicKeyAlg());
                        caCertById.setKeyIndex(caPwdBean.getKeyIndex());
                        caCertById.setKeyPwd(this.configFileService.buildEncOrDecDate(true, caPwdBean.getPrivateKeyPin()));
                    } catch (Exception e3) {
                        this.logger.error("密码机索引不符合需要的密钥算法", e3);
                        return Result.failure(ErrorEnum.HSM_INDEX_NOT_FORMAT_KEY_ALG);
                    }
                }
                if (!new String(publicKeyFromP10.getEncoded()).equals(new String(x509Certificate.getPublicKey().getEncoded()))) {
                    this.logger.info("导入证书链失败:证书中的公钥和P10申请书中的公钥不一致");
                    return Result.failure(ErrorEnum.PUBLIC_KEY_IS_NOT_MATCH_ERROR);
                }
                String bigInteger = x509Certificate.getSerialNumber().toString(16);
                SubCaCertDO subCaCert = this.subCaCertDao.getSubCaCert(bigInteger);
                Long l2 = null;
                if (subCaCert != null) {
                    l2 = subCaCert.getTemplateId();
                }
                try {
                    caCertById.setCaId(caId);
                    caCertById.setAfterTime(x509Certificate.getNotAfter());
                    caCertById.setBeforeTime(x509Certificate.getNotBefore());
                    caCertById.setCert(CertUtil.writeObject(x509Certificate));
                    caCertById.setIsCurrent(Integer.valueOf(CaCertDO.CaCertCurrentEnum.VALID.getValue()));
                    caCertById.setCertChain(new String(bArr));
                    caCertById.setStatus(1);
                    caCertById.setTemplateId(l2);
                    caCertById.setSn(bigInteger);
                    caCertById.setIssue(CertUtil.getIssuerByX509Cert(x509Certificate));
                    caCertById.setSubject(CertUtil.getSubjectByX509Cert(x509Certificate));
                    if (cert != null) {
                        if (CertUtils.getCertFromStr(cert).getBasicConstraints() != x509Certificate.getBasicConstraints()) {
                            this.logger.info("导入证书链失败：导入证书与旧证书的path_length不一致");
                            return Result.failure(ErrorEnum.PATH_LENGTH_IS_NOT_MATCH);
                        }
                        caCertById.setOldCertId(caCertByCaId.getId());
                    }
                    if (Constants.CRYPT_DEVICE_TYPE.equals(Constants.CRYPT_DEVICE_BC)) {
                        PrivateKey readPrivateKeyByPath = CertUtils.readPrivateKeyByPath(Constants.CA_CERT_PRIVATE_PATH + "/" + caId + "/tmpPrivate.key");
                        if (readPrivateKeyByPath == null) {
                            this.logger.info("未获取到私钥数据信息");
                            return Result.failure(ErrorEnum.CANNOT_GET_PRIVATE_FILE_INFO);
                        }
                        this.hsmManager.saveUserCaCertPrivateKey(caId, x509Certificate, readPrivateKeyByPath, this.savePriKeyHsm);
                    }
                    if (cert == null) {
                        caCertById.setId(l);
                        caCertById.setGmtModified(new Date());
                        this.caCertDao.update(caCertById);
                    } else {
                        this.logger.info("将旧的子CA证书{}的当前状态更新为不在使用", caCertByCaId.getId());
                        this.caCertDao.setIsCurrent(caCertByCaId.getId(), CaCertDO.CaCertCurrentEnum.INVALID.getValue());
                        caCertById.setGmtCreate(new Date());
                        this.caCertDao.save(caCertById);
                    }
                    Constants.CA_INFO.remove(caId);
                    if (l2 != null) {
                        Result templateById = this.templateService.getTemplateById(l2);
                        if (!templateById.isSuccess()) {
                            return Result.failure(ErrorEnum.TEMPLATE_NOT_EXIST);
                        }
                        TemplateInfoVO templateInfoVO = (TemplateInfoVO) templateById.getInfo();
                        if (null == templateInfoVO) {
                            this.logger.info("查询模板信息结果：模板不存在[{}]", l2);
                            return Result.failure(ErrorEnum.TEMPLATE_NOT_EXIST);
                        }
                        this.taskDataService.savePublishCert(caCertById.getId(), (Long) null, 3, templateInfoVO.getIssueCertType());
                        this.taskDataService.saveSyncStatusCert(caCertById.getId(), (Long) null, 5, Integer.valueOf(CertStatusEnum.NORMAL.getValue()), (Integer) null, new Date());
                    } else {
                        this.logger.info("当前导入的用户子CA [{}] 是外部系统签发的，不在本系统发布", bigInteger);
                    }
                    return Result.success();
                } catch (Exception e4) {
                    this.logger.error("保存用户CA证书异常:{}", e4);
                    return Result.failure(ErrorEnum.SAVE_USER_CA_CERT_EXCEPTION);
                }
            } catch (Exception e5) {
                this.logger.error("获取证书的DN信息异常：{}", e5);
                return Result.failure(ErrorEnum.GET_CERT_DN_EXCEPTION);
            }
        } catch (DAOException e6) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result getHistoryUserCaList(Long l, Integer num, Integer num2) {
        try {
            return Result.success(this.caCertDao.getUserCaHistoryList(l, num, num2));
        } catch (Exception e) {
            this.logger.error("分页获取用户CA历史证书列表失败", e);
            throw new ServiceException("分页获取用户CA历史证书列表失败", e);
        }
    }

    public Result getUserCaBaseInfoByCaCertId(Long l) {
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            CaDO caById = this.caDao.getCaById(caCertById.getCaId().longValue());
            return caById == null ? Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST) : Result.success(buildUserCaBaseDTO(caById, caCertById));
        } catch (DAOException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result getIssueUserCaBaseInfoByCaId(Long l) {
        this.logger.info("从数据库中加载IssueUserCaBaseInfo信息caId:{}", l);
        IssueCaBaseInfo issueCaBaseInfo = new IssueCaBaseInfo();
        try {
            CaDO caById = this.caDao.getCaById(l.longValue());
            CaCertDO caCertByCaId = this.caCertDao.getCaCertByCaId(l.longValue());
            if (caById == null || caCertByCaId == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            issueCaBaseInfo.setUserCaName(caById.getName());
            issueCaBaseInfo.setCaId(l);
            issueCaBaseInfo.setStatus(caCertByCaId.getStatus());
            issueCaBaseInfo.setCaCertPublishType(caById.getIssueCertType() == null ? 0 : caById.getIssueCertType().intValue());
            issueCaBaseInfo.setIssue(caCertByCaId.getIssue());
            issueCaBaseInfo.setSubject(caCertByCaId.getSubject());
            issueCaBaseInfo.setId(caCertByCaId.getId());
            if (!StringUtils.isBlank(caCertByCaId.getCert())) {
                X509Certificate certFromStr = CertUtil.getCertFromStr(caCertByCaId.getCert());
                issueCaBaseInfo.setCert(certFromStr);
                issueCaBaseInfo.setPublicKey(certFromStr.getPublicKey());
            }
            issueCaBaseInfo.setCertChain(caCertByCaId.getCertChain());
            issueCaBaseInfo.setKeyIndex(caCertByCaId.getKeyIndex());
            issueCaBaseInfo.setKeyPwd(this.configFileService.buildEncOrDecDate(false, caCertByCaId.getKeyPwd()));
            issueCaBaseInfo.setSignAlg(Integer.valueOf(caCertByCaId.getSignAlg()));
            issueCaBaseInfo.setSn(caCertByCaId.getSn());
            issueCaBaseInfo.setPrivateKeySize(caCertByCaId.getPrivateKeySize());
            issueCaBaseInfo.setPublicKeyAlg(caCertByCaId.getPublicKeyAlg());
            issueCaBaseInfo.setPrivateKey(this.hsmManager.getUserCaCertPrivateKey(Integer.valueOf(caCertByCaId.getSignAlg()), l));
            if (null != caCertByCaId.getTemplateId()) {
                issueCaBaseInfo.setTemplateId(caCertByCaId.getTemplateId());
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("从数据库中加载IssueUserCaBaseInfo信息:{}", issueCaBaseInfo.toString());
            }
            return Result.success(issueCaBaseInfo);
        } catch (DAOException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result getUserCaCertInfo(Long l) {
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            try {
                return Result.success(this.certContentInfoUtil.getCertContentInfo(CertUtil.getCertFromStr(caCertById.getCert()), null));
            } catch (Exception e) {
                this.logger.error("证书详情格式读取异常", e);
                return Result.failure(ErrorEnum.CERT_DETAIL_FORMAT_ERROR);
            }
        } catch (DAOException e2) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result getUserCaP7bInfo(Long l) {
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            try {
                List resolveCertChain = P7bUtils.resolveCertChain(caCertById.getCertChain().getBytes());
                ArrayList arrayList = new ArrayList();
                for (int size = resolveCertChain.size() - 1; size >= 0; size--) {
                    HashMap hashMap = new HashMap();
                    try {
                        hashMap.put("subjectCertDn", CertUtil.getSubjectByX509Cert((X509Certificate) resolveCertChain.get(size)));
                        hashMap.put("issueCertDn", CertUtil.getIssuerByX509Cert((X509Certificate) resolveCertChain.get(size)));
                    } catch (Exception e) {
                        this.logger.error("证书dn解析错误", e);
                    }
                    hashMap.put("notAfterTime", DateUtils.dateToString(((X509Certificate) resolveCertChain.get(size)).getNotAfter(), "yyyy-MM-dd HH:mm:ss"));
                    hashMap.put("notBeforeTime", DateUtils.dateToString(((X509Certificate) resolveCertChain.get(size)).getNotBefore(), "yyyy-MM-dd HH:mm:ss"));
                    hashMap.put("order", Integer.valueOf(size + 1));
                    arrayList.add(hashMap);
                }
                return Result.success(arrayList);
            } catch (Exception e2) {
                this.logger.error("解析证书链异常", e2);
                return Result.failure(ErrorEnum.GET_USER_CA_CERT_P7B_EXCEPTION);
            }
        } catch (DAOException e3) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result downloadUserCaCert(Long l) {
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            CaDO caById = this.caDao.getCaById(caCertById.getCaId().longValue());
            String certChain = caCertById.getCertChain();
            Result result = new Result();
            result.setAuditContent(caById.getName());
            result.setInfo(certChain);
            return result;
        } catch (DAOException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result deleteUserCa(Long l) {
        try {
            CaCertDO caCertById = this.caCertDao.getCaCertById(l.longValue());
            if (caCertById == null) {
                return Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST);
            }
            this.caDao.deleteCaById(caCertById.getCaId().longValue());
            return Result.success();
        } catch (DAOException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result queryUserCaBaseInfoList(Integer num, Integer num2) {
        try {
            List<UserCaDTO> queryUserCaBaseInfo = this.caDao.queryUserCaBaseInfo(num, num2);
            for (UserCaDTO userCaDTO : queryUserCaBaseInfo) {
                userCaDTO.setSignAlg(SignAlgTypeEnum.getViewAlgName(Integer.parseInt(userCaDTO.getSignAlg())));
            }
            return Result.success(queryUserCaBaseInfo);
        } catch (ServiceException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result getUserCAFileTime(Long l) {
        try {
            CaCertDO caCertByCaId = this.caCertDao.getCaCertByCaId(l.longValue());
            return caCertByCaId == null ? Result.failure(ErrorEnum.USER_CA_CERT_ID_IS_NOT_EXIST) : Result.success(Long.valueOf(caCertByCaId.getAfterTime().getTime()));
        } catch (DAOException e) {
            return Result.failure(ErrorEnum.OPERATE_DATA_BASE_ERROR);
        }
    }

    public Result checkIssueCertParams(String str, TemplateInfoVO templateInfoVO, CaInfoVO caInfoVO, PublicKey publicKey, Integer num, String str2) {
        if (TemplateStatusEnum.NORMAL.getValue() != templateInfoVO.getStatus().intValue()) {
            this.logger.info("查询模板信息结果：模板状态不正常，模板状态为[{}]", templateInfoVO.getStatus());
            return Result.failure(ErrorEnum.TEMPLATE_STATUS_IS_STOP);
        }
        if (null == caInfoVO || StringUtils.isBlank(caInfoVO.getBaseDn())) {
            this.logger.debug("签发证书失败：未查到CA基本信息[{}]", str);
            return Result.failure(ErrorEnum.CA_BASEINFO_GET_FAIL);
        }
        if (!str.toLowerCase().startsWith("cn")) {
            this.logger.error("签发证书失败：DN不是以CN开头[{}]", str);
            return Result.failure(ErrorEnum.CERT_DN_CN_IS_NOT_FIRST);
        }
        if (!str.toLowerCase().endsWith(caInfoVO.getBaseDn().toLowerCase())) {
            this.logger.debug("签发证书失败：DN中的baseDn不正确dn=[{}],baseDn=[{}]", str, caInfoVO.getBaseDn());
            return Result.failure(ErrorEnum.BASEDN_ERROR);
        }
        if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_XDJA_HSM.intValue() && null != num && !GMSSLSM2KeyUtils.getPrivateKeyAccessRightFromYunHsm(num.intValue(), str2)) {
            this.logger.debug("信大捷安密码机两码没有访问权限keyIndex=[{}],privateKeyPin=[{}]", num, str2);
            return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
        }
        if (Constants.CRYPT_DEVICE_TYPE.intValue() == Constants.CRYPT_DEVICE_SWXA_HSM.intValue() && null != num) {
            try {
                if (GMSSLSancHsmUtils.testConnect().id != YunHsmExceptionEnum.NORMAL.id) {
                    this.logger.debug("连接三未信安密码机异常keyIndex=[{}]", num);
                    return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
                }
            } catch (Exception e) {
                this.logger.debug("获取三未信安密码机异常keyIndex=[{}]", num);
                return Result.failure(ErrorEnum.HSM_KEY_PIN_ERROR);
            }
        }
        try {
            DnUtil.getRFC4519X500Name(str);
            return Result.success();
        } catch (Exception e2) {
            this.logger.debug("DN不符合X500规范dn=[{}]", str);
            return Result.failure(ErrorEnum.DN_FORMAT_FAIL);
        }
    }

    private UserCaBaseDTO buildUserCaBaseDTO(CaDO caDO, CaCertDO caCertDO) {
        UserCaBaseDTO userCaBaseDTO = new UserCaBaseDTO();
        BeanUtils.copyProperties(caCertDO, userCaBaseDTO);
        userCaBaseDTO.setCaType(caDO.getType().intValue());
        userCaBaseDTO.setCertStatus(caCertDO.getStatus());
        userCaBaseDTO.setIssueDn(caCertDO.getIssue());
        userCaBaseDTO.setSubjectDn(caCertDO.getSubject());
        userCaBaseDTO.setKeyIndex(caCertDO.getKeyIndex());
        userCaBaseDTO.setKeyPwd(this.configFileService.buildEncOrDecDate(false, caCertDO.getKeyPwd()));
        userCaBaseDTO.setNotAfterTime(DateUtils.dateToString(caCertDO.getAfterTime(), "yyyy-MM-dd HH:mm:ss"));
        userCaBaseDTO.setNotBeforeTime(DateUtils.dateToString(caCertDO.getBeforeTime(), "yyyy-MM-dd HH:mm:ss"));
        userCaBaseDTO.setCertPeriod((int) ((caCertDO.getAfterTime().getTime() - caCertDO.getBeforeTime().getTime()) / 86400000));
        userCaBaseDTO.setPrivateKeySize(caCertDO.getPrivateKeySize());
        userCaBaseDTO.setPublicKeyAlg(caCertDO.getPublicKeyAlg());
        userCaBaseDTO.setSignAlg(caCertDO.getSignAlg());
        userCaBaseDTO.setUserCaName(caDO.getName());
        userCaBaseDTO.setUserCaSn(caCertDO.getSn());
        userCaBaseDTO.setUserCaId(caDO.getId());
        userCaBaseDTO.setUserCaCertId(caCertDO.getId());
        if (caCertDO.getAfterTime().getTime() <= System.currentTimeMillis()) {
            userCaBaseDTO.setValidityPeriod(0);
        } else {
            userCaBaseDTO.setValidityPeriod((int) ((caCertDO.getAfterTime().getTime() - System.currentTimeMillis()) / 86400000));
        }
        Result templateById = this.templateService.getTemplateById(caCertDO.getTemplateId());
        if (templateById.isSuccess()) {
            userCaBaseDTO.setTemplatePeriod(((TemplateInfoVO) templateById.getInfo()).getMaxValidity().intValue());
        }
        userCaBaseDTO.setBaseDn(((CaInfoVO) Constants.CA_INFO.get(Constants.ADMIN_CA_ID)).getBaseDn());
        return userCaBaseDTO;
    }
}
