package com.xdja.pki.ca.securitymanager.service.login;

import com.xdja.pki.ca.auth.service.bean.AuditSignBean;
import com.xdja.pki.ca.auth.service.bean.DigestAlgEnum;
import com.xdja.pki.ca.auth.service.bean.KeyAlgEnum;
import com.xdja.pki.ca.certmanager.dao.ManagerCertDao;
import com.xdja.pki.ca.certmanager.dao.ManagerCertDataDao;
import com.xdja.pki.ca.certmanager.dao.models.ManageCertDO;
import com.xdja.pki.ca.certmanager.dao.models.ManageCertDataDO;
import com.xdja.pki.ca.core.Constants;
import com.xdja.pki.ca.core.ca.util.gm.cert.CertUtil;
import com.xdja.pki.ca.core.common.ErrorEnum;
import com.xdja.pki.ca.core.common.Result;
import com.xdja.pki.ca.core.enums.CertStatusEnum;
import com.xdja.pki.ca.core.exception.ServiceException;
import com.xdja.pki.ca.core.pkcs7.SignedDataInfo;
import com.xdja.pki.ca.core.pkcs7.SignedDataUtil;
import com.xdja.pki.ca.hsm.manager.HsmManager;
import com.xdja.pki.ca.security.bean.Function;
import com.xdja.pki.ca.security.bean.Operator;
import com.xdja.pki.ca.security.util.OperatorUtil;
import com.xdja.pki.ca.securityaudit.service.bean.AuditLogOperatorTypeEnum;
import com.xdja.pki.ca.securityaudit.service.bean.AuditLogResultEnum;
import com.xdja.pki.ca.securityaudit.service.log.AuditLogService;
import com.xdja.pki.ca.securitymanager.dao.AdminRoleDao;
import com.xdja.pki.ca.securitymanager.dao.FunctionDao;
import com.xdja.pki.ca.securitymanager.dao.model.RoleDO;
import com.xdja.pki.ca.securitymanager.service.vo.AdminInfoDTO;
import com.xdja.pki.ca.securitymanager.service.vo.CaInfoVO;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Resource;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:com/xdja/pki/ca/securitymanager/service/login/LoginServiceImpl.class */
public class LoginServiceImpl extends LoginBase implements LoginService {
    private Logger logger = LoggerFactory.getLogger(getClass());
    private static final String SESSION_CHALLENGE_KEY = "challenge";
    private static final String KEY_CHALLENGE = "challenge";
    private static final String KEY_EXPIRES = "expires";
    private static final String KEY_FAILURE_TIME = "failureTime";

    @Value("${challenge.expires}")
    private long challengeExpires;

    @Value("${session.expires}")
    private int sessionTimeout;

    @Value("${login.challenge.length}")
    private int challengeLength;

    @Resource
    private ManagerCertDao managerCertDao;

    @Resource
    private ManagerCertDataDao managerCertDataDao;

    @Resource
    private FunctionDao functionDao;

    @Resource
    private AdminRoleDao adminRoleDao;

    @Resource
    private HsmManager hsmManager;

    @Resource
    private AuditLogService auditLogService;

    public Map<String, Object> getChallenge() {
        try {
            Map map = (Map) OperatorUtil.getAttribute("challenge");
            if (null == map) {
                map = new HashMap();
                OperatorUtil.setAttribute("challenge", map);
            }
            map.put("challenge", this.hsmManager.generateRandom(this.challengeLength));
            map.put(KEY_EXPIRES, Long.valueOf(this.challengeExpires));
            map.put(KEY_FAILURE_TIME, Long.valueOf(System.currentTimeMillis() + (this.challengeExpires * 1000)));
            HashMap hashMap = new HashMap();
            hashMap.put("challenge", map.get("challenge"));
            hashMap.put(KEY_EXPIRES, map.get(KEY_EXPIRES));
            return hashMap;
        } catch (Exception e) {
            throw new ServiceException("获取登录挑战值失败", e);
        }
    }

    public Result login(String str, AuditSignBean auditSignBean) {
        try {
            Result executeLogin = executeLogin(str, auditSignBean);
            if (executeLogin.isSuccess()) {
                try {
                    if (!this.auditLogService.save(AuditLogOperatorTypeEnum.SYSTEM_LOGIN.type, executeLogin.getAuditContent(), AuditLogResultEnum.SUCCESS.id, auditSignBean.getSign())) {
                        this.logger.error("保存管理员登录系统审计日志失败");
                    }
                } catch (Exception e) {
                    this.logger.error("保存管理员登录系统审计日志失败", e);
                }
            }
            return executeLogin;
        } catch (Exception e2) {
            throw new ServiceException("管理员登录系统失败", e2);
        }
    }

    public void logout() {
        try {
            SecurityUtils.getSubject().logout();
        } catch (Exception e) {
            throw new ServiceException("管理员退出系统失败", e);
        }
    }

    private Result executeLogin(String str, AuditSignBean auditSignBean) throws IOException {
        int i;
        StringBuilder sb = new StringBuilder();
        ManageCertDO managerCertsBySn = this.managerCertDao.getManagerCertsBySn(auditSignBean.getSn(), auditSignBean.getKeyAlg());
        if (null == managerCertsBySn) {
            sb.append("管理员登录系统失败，原因：证书不存在，证书SN=").append(auditSignBean.getSn());
            this.logger.info(sb.toString());
            return Result.failure(ErrorEnum.DOWNLOAD_CERT_NOT_EXIST).setAuditContent(sb.toString());
        }
        if (managerCertsBySn.getStatus().intValue() != CertStatusEnum.NORMAL.value) {
            sb.append("管理员登录系统失败，原因：证书被冻结，证书SN=").append(auditSignBean.getSn());
            this.logger.info(sb.toString());
            return Result.failure(ErrorEnum.RA_CERT_ISSUE_STATUA_FROZEND).setAuditContent(sb.toString());
        }
        if (managerCertsBySn.getAfterTime().getTime() < System.currentTimeMillis()) {
            sb.append("管理员登录系统失败，原因：证书已过期，证书SN=").append(auditSignBean.getSn());
            this.logger.info(sb.toString());
            return Result.failure(ErrorEnum.RA_CERT_ISSUE_STATUA_EXPIRED).setAuditContent(sb.toString());
        }
        RoleDO roleByManageCertId = this.adminRoleDao.getRoleByManageCertId(managerCertsBySn.getId().longValue());
        if (null == roleByManageCertId) {
            sb.append("管理员登录系统失败，原因：证书无对应管理员角色，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn());
            this.logger.info(sb.toString());
            return Result.failure(ErrorEnum.INVALID_CERT).setAuditContent(sb.toString());
        }
        Map map = (Map) OperatorUtil.getAttribute("challenge");
        if (null == map || Long.valueOf(String.valueOf(map.get(KEY_FAILURE_TIME))).longValue() < System.currentTimeMillis()) {
            sb.append("管理员登录系统失败，原因：挑战值无效，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName());
            this.logger.info(sb.toString());
            return Result.failure(ErrorEnum.INVALID_CHALLENGE).setAuditContent(sb.toString());
        }
        SignedDataInfo resolve = SignedDataUtil.resolve(str);
        if (!new String(resolve.getContent()).equals((String) map.get("challenge"))) {
            sb.append("管理员登录系统失败，原因：签名原文不一致，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName());
            this.logger.info("管理员系统登录失败，原因：签名原文不一致  [sn={},keyAlg={},sign={}]", new Object[]{auditSignBean.getSn(), Integer.valueOf(auditSignBean.getKeyAlg()), str});
            return Result.failure(ErrorEnum.INVALID_CHALLENGE).setAuditContent(sb.toString());
        }
        sb.append("管理员登录系统失败，原因：不支持的签名算法，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName()).append("，P7签名算法=").append(resolve.getSignAlgOId()).append("，P7摘要算法=").append(resolve.getDigestAlgOId()).append("，系统签名算法=").append(KeyAlgEnum.convert(Constants.BASE_ALG_TYPE.intValue()).desc);
        if (resolve.getSignAlgOId().equals(GMObjectIdentifiers.sm2sign.getId()) && Constants.BASE_ALG_TYPE.intValue() == KeyAlgEnum.SM2.value) {
            if (!resolve.getDigestAlgOId().equals(GMObjectIdentifiers.sm3.getId())) {
                this.logger.info(sb.toString());
                return Result.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG).setAuditContent(sb.toString());
            }
            i = DigestAlgEnum.SM3.value;
        } else {
            if (!resolve.getSignAlgOId().equals(PKCSObjectIdentifiers.rsaEncryption.getId()) || Constants.BASE_ALG_TYPE.intValue() != KeyAlgEnum.RSA.value) {
                this.logger.info(sb.toString());
                return Result.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG).setAuditContent(sb.toString());
            }
            if (!resolve.getDigestAlgOId().equals(NISTObjectIdentifiers.id_sha256.getId())) {
                this.logger.info(sb.toString());
                return Result.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG).setAuditContent(sb.toString());
            }
            i = DigestAlgEnum.SHA256.value;
        }
        StringBuilder sb2 = new StringBuilder();
        ManageCertDataDO queryManagerCertDataById = this.managerCertDataDao.queryManagerCertDataById(managerCertsBySn.getId());
        if (!this.hsmManager.verifySign(Constants.BASE_ALG_TYPE.intValue(), i, CertUtil.getCertFromStr(queryManagerCertDataById.getData()).getPublicKey(), resolve.getContent(), resolve.getSignData())) {
            sb2.append("管理员登录系统失败，原因：挑战值验签失败，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName());
            this.logger.info("管理员系统登录失败，原因：挑战值验签失败  [sn={},keyAlg={},sign={}]", new Object[]{auditSignBean.getSn(), Integer.valueOf(auditSignBean.getKeyAlg()), str});
            return Result.failure(ErrorEnum.INVALID_CHALLENGE).setAuditContent(sb2.toString());
        }
        try {
            Subject subject = SecurityUtils.getSubject();
            subject.login(new CustomToken(auditSignBean.getSn(), "111111", auditSignBean.getSn()));
            subject.getSession().setTimeout(this.sessionTimeout * 60 * 1000);
            AdminInfoDTO adminInfoDTO = new AdminInfoDTO();
            BeanUtils.copyProperties(auditSignBean, adminInfoDTO);
            adminInfoDTO.setSignCertId(managerCertsBySn.getId().longValue());
            adminInfoDTO.setDn(managerCertsBySn.getSubject());
            adminInfoDTO.setRoleType(roleByManageCertId.getType().intValue());
            adminInfoDTO.setRoleName(roleByManageCertId.getName());
            adminInfoDTO.setSignCertData(queryManagerCertDataById.getData());
            Collection<Function> convertFunction = convertFunction(this.functionDao.queryAdminFunctions(managerCertsBySn.getId().longValue()));
            OperatorUtil.setOperator(new Operator(adminInfoDTO.getDn(), convertFunction, adminInfoDTO));
            ArrayList arrayList = new ArrayList(convertFunction);
            filterFunction(arrayList);
            HashMap hashMap = new HashMap();
            hashMap.put("name", getCnByDn(managerCertsBySn.getSubject()));
            hashMap.put("sn", managerCertsBySn.getSn());
            hashMap.put("caType", ((CaInfoVO) Constants.CA_INFO.get(Constants.BASE_ALG_TYPE)).getType());
            hashMap.put("keyAlg", Constants.BASE_ALG_TYPE);
            HashMap hashMap2 = new HashMap();
            hashMap2.put("userInfo", hashMap);
            hashMap2.put("menus", arrayList);
            sb2.append("管理员登录系统成功，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName());
            this.logger.info(sb2.toString());
            return Result.success(hashMap2).setAuditContent(sb2.toString());
        } catch (Exception e) {
            sb2.append("管理员登录系统失败，原因：shiro登录校验异常，证书DN=").append(managerCertsBySn.getSubject()).append("，证书SN=").append(auditSignBean.getSn()).append("，管理员角色=").append(roleByManageCertId.getName());
            this.logger.info("系统登录失败，原因：shiro登录校验异常", e);
            return Result.failure(ErrorEnum.INVALID_CERT).setAuditContent(sb2.toString());
        }
    }

    private String getCnByDn(String str) {
        return str.substring(str.indexOf("CN=") + 3, str.indexOf(","));
    }
}
