package com.xdja.pki.ra.middleware.manager.verify;

import com.xdja.pki.auth.service.AuditSignService;
import com.xdja.pki.auth.service.bean.AuditSignBean;
import com.xdja.pki.auth.service.bean.CertInfoDTO;
import com.xdja.pki.auth.service.bean.CertStatusEnum;
import com.xdja.pki.auth.service.bean.DigestAlgEnum;
import com.xdja.pki.auth.service.bean.KeyAlgEnum;
import com.xdja.pki.core.bean.CoreResult;
import com.xdja.pki.core.exception.JSONException;
import com.xdja.pki.ra.cache.CustomerSysCertCache;
import com.xdja.pki.ra.core.asn1.NISTObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.RsaObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SM2ObjectIdentifiers;
import com.xdja.pki.ra.core.common.CommonVariable;
import com.xdja.pki.ra.core.common.Result;
import com.xdja.pki.ra.core.commonenum.ErrorEnum;
import com.xdja.pki.ra.core.util.cert.CertUtils;
import com.xdja.pki.ra.core.util.cert.HsmUtils;
import com.xdja.pki.ra.core.util.json.JsonUtils;
import com.xdja.pki.ra.manager.dao.model.CustomerSysCertDO;
import com.xdja.pki.ra.manager.sdk.business.CaBusinessManager;
import java.io.UnsupportedEncodingException;
import java.security.KeyFactory;
import java.security.Provider;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Map;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.Strings;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.tags.BindTag;
import org.springframework.web.util.ContentCachingRequestWrapper;

@Aspect
@Component
/* loaded from: input_file:WEB-INF/classes/com/xdja/pki/ra/middleware/manager/verify/HeaderVerifyAspect.class */
public class HeaderVerifyAspect {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) HeaderVerifyAspect.class);

    @Autowired
    private AuditSignService auditSignService;

    @Autowired
    private CustomerSysCertCache customerSysCertCache;

    @Autowired
    private CaBusinessManager caBusinessManager;

    @Pointcut("@annotation(com.xdja.pki.ra.middleware.manager.verify.MiddlewareHeaderVerify)")
    public void headerVerify() {
    }

    @Around("headerVerify()")
    public Object authAdmin(ProceedingJoinPoint proceedingJoinPoint) {
        String name = proceedingJoinPoint.getSignature().getName();
        try {
            ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
            HttpServletRequestWrapper httpServletRequestWrapper = (HttpServletRequestWrapper) servletRequestAttributes.getRequest();
            HttpServletResponse response = servletRequestAttributes.getResponse();
            ContentCachingRequestWrapper contentCachingRequestWrapper = !(httpServletRequestWrapper instanceof ContentCachingRequestWrapper) ? (ContentCachingRequestWrapper) httpServletRequestWrapper.getRequest() : (ContentCachingRequestWrapper) httpServletRequestWrapper;
            String header = contentCachingRequestWrapper.getHeader("signSn");
            String header2 = contentCachingRequestWrapper.getHeader("timestamp");
            String header3 = contentCachingRequestWrapper.getHeader("signAlg");
            String header4 = contentCachingRequestWrapper.getHeader("signValue");
            if (StringUtils.isBlank(header) || StringUtils.isBlank(header2) || StringUtils.isBlank(header3) || StringUtils.isBlank(header4)) {
                return this.auditSignService.getIllegalParamError(response);
            }
            if (System.currentTimeMillis() - Long.parseLong(header2) > this.auditSignService.getOffsetTime() * 60 * 1000) {
                if (logger.isDebugEnabled()) {
                    logger.debug("中间件服务Header验签失败，原因：客户端时间与服务器时间不一致");
                }
                return this.auditSignService.getVerifyTimeError(response);
            }
            byte[] constructBusinessData = constructBusinessData(contentCachingRequestWrapper, header2);
            CoreResult verifySign = verifySign(header, header3, header4, constructBusinessData, name, response);
            if (!verifySign.isSuccess()) {
                return verifySign.getInfo();
            }
            AuditSignBean auditSignBean = new AuditSignBean();
            auditSignBean.setSn(header);
            auditSignBean.setKeyAlg(((Integer) verifySign.getInfo()).intValue());
            auditSignBean.setTimestamp(header2);
            auditSignBean.setSign(header4);
            auditSignBean.setIp(contentCachingRequestWrapper.getRemoteAddr());
            auditSignBean.setContent(new String(constructBusinessData));
            Object[] args = proceedingJoinPoint.getArgs();
            int i = 0;
            while (true) {
                if (i < args.length) {
                    Object obj = args[i];
                    if (null != obj && obj.getClass() == AuditSignBean.class) {
                        args[i] = auditSignBean;
                        break;
                    }
                    i++;
                } else {
                    break;
                }
            }
            return proceedingJoinPoint.proceed(args);
        } catch (Throwable th) {
            logger.error("中间件服务Header验签失败", th);
            return this.auditSignService.getServerInternalError(null);
        }
    }

    private byte[] constructBusinessData(ContentCachingRequestWrapper contentCachingRequestWrapper, String str) throws JSONException, UnsupportedEncodingException {
        byte[] bytes = contentCachingRequestWrapper.getRequestURI().getBytes();
        byte[] contentAsByteArray = contentCachingRequestWrapper.getContentAsByteArray();
        byte[] bytes2 = str.getBytes();
        byte[] bArr = new byte[bytes.length + contentAsByteArray.length + bytes2.length];
        System.arraycopy(bytes, 0, bArr, 0, bytes.length);
        System.arraycopy(contentAsByteArray, 0, bArr, bytes.length, contentAsByteArray.length);
        System.arraycopy(bytes2, 0, bArr, bytes.length + contentAsByteArray.length, bytes2.length);
        if (logger.isDebugEnabled()) {
            logger.debug("待签名数据原文： " + Arrays.toString(bArr));
        }
        return bArr;
    }

    private CoreResult verifySign(String str, String str2, String str3, byte[] bArr, String str4, HttpServletResponse httpServletResponse) {
        int i;
        int i2;
        if (logger.isDebugEnabled()) {
            logger.debug("中间件服务Header验签签名结构体原文：{}", new String(bArr));
            logger.debug("中间件服务Header验签PKCS#7签名结构体：{}", str3);
        }
        CertInfoDTO certInfo = getCertInfo(str, str4);
        if (null == certInfo) {
            if (logger.isDebugEnabled()) {
                logger.debug("中间件服务Header验签失败，原因：{}对应的证书不存在", str);
            }
            return CoreResult.failure(this.auditSignService.getCertNotExistError(httpServletResponse));
        }
        if (certInfo.getStatus() != CertStatusEnum.NORMAL.value) {
            if (logger.isDebugEnabled()) {
                logger.debug("中间件服务Header验签失败，原因：证书状态异常");
            }
            return CoreResult.failure(this.auditSignService.getCertStatusError(certInfo.getStatus(), httpServletResponse));
        }
        if (!certInfo.getSignAlg().equalsIgnoreCase(str2)) {
            if (logger.isDebugEnabled()) {
                logger.debug("中间件服务Header验签失败，原因：请求使用的签名算法与证书的签名算法不一致。证书的签名算法为：{}", certInfo.getSignAlg());
            }
            return CoreResult.failure(ErrorEnum.SIGN_ALG_NOT_EQUAL.resp(httpServletResponse));
        }
        String upperCase = str2.toUpperCase();
        if (upperCase.contains(KeyAlgEnum.RSA.desc)) {
            i = KeyAlgEnum.RSA.value;
        } else if (upperCase.contains(KeyAlgEnum.SM2.desc)) {
            i = KeyAlgEnum.SM2.value;
        } else if (upperCase.contains(KeyAlgEnum.NIST.desc) || upperCase.contains("ECDSA")) {
            i = KeyAlgEnum.NIST.value;
        } else {
            if (!upperCase.contains(KeyAlgEnum.ED25519.desc)) {
                logger.debug("中间件服务验签失败，原因：不支持的签名算法，signAlg={}", str2);
                return CoreResult.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG.resp(httpServletResponse));
            }
            i = KeyAlgEnum.ED25519.value;
        }
        try {
            byte[] decode = Base64.decode(str3);
            if (i == KeyAlgEnum.SM2.value) {
                if (!upperCase.contains(DigestAlgEnum.SM3.desc)) {
                    logger.debug("中间件服务验签失败，原因：不支持的签名摘要算法，[signAlg={},keyAlg={}]", str2, Integer.valueOf(i));
                    return CoreResult.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG.resp(httpServletResponse));
                }
                i2 = DigestAlgEnum.SM3.value;
            } else if (i == KeyAlgEnum.RSA.value) {
                if (upperCase.contains(DigestAlgEnum.SHA1.desc)) {
                    i2 = DigestAlgEnum.SHA1.value;
                } else if (upperCase.contains(DigestAlgEnum.SHA256.desc)) {
                    i2 = DigestAlgEnum.SHA256.value;
                } else if (upperCase.contains(DigestAlgEnum.SHA384.desc)) {
                    i2 = DigestAlgEnum.SHA384.value;
                } else {
                    if (!upperCase.contains(DigestAlgEnum.SHA512.desc)) {
                        logger.debug("中间件服务验签失败，原因：不支持的签名摘要算法，[signAlg={},keyAlg={}]", str2, Integer.valueOf(i));
                        return CoreResult.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG.resp(httpServletResponse));
                    }
                    i2 = DigestAlgEnum.SHA512.value;
                }
            } else if (i == KeyAlgEnum.NIST.value) {
                if (upperCase.contains(DigestAlgEnum.SHA256.desc)) {
                    i2 = DigestAlgEnum.SHA256.value;
                } else if (upperCase.contains(DigestAlgEnum.SHA384.desc)) {
                    i2 = DigestAlgEnum.SHA384.value;
                } else {
                    if (!upperCase.contains(DigestAlgEnum.SHA512.desc)) {
                        logger.debug("中间件服务验签失败，原因：不支持的签名摘要算法，[signAlg={},keyAlg={}]", str2, Integer.valueOf(i));
                        return CoreResult.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG.resp(httpServletResponse));
                    }
                    i2 = DigestAlgEnum.SHA512.value;
                }
            } else {
                if (i != KeyAlgEnum.ED25519.value) {
                    logger.debug("中间件服务验签失败，原因：不支持的签名摘要算法，[signAlg={},keyAlg={}]", str2, Integer.valueOf(i));
                    return CoreResult.failure(ErrorEnum.NOT_SUPPORTED_SIGN_ALG.resp(httpServletResponse));
                }
                i2 = DigestAlgEnum.SHA512.value;
            }
            if (verify(i, i2, certInfo.getPublicKey(), bArr, decode)) {
                return CoreResult.success(Integer.valueOf(i));
            }
            if (logger.isDebugEnabled()) {
                logger.debug("中间件服务Header验签失败，原因：验证管理员操作签名失败");
            }
            return CoreResult.failure(this.auditSignService.getVerifySignFailError(httpServletResponse));
        } catch (Exception e) {
            logger.error("中间件服务Header中的signStr不是Base64格式");
            return CoreResult.failure(ErrorEnum.ILLEGAL_REQUEST_PARAMETER.resp(httpServletResponse));
        }
    }

    private CertInfoDTO getCertInfo(String str, String str2) {
        if (str2.equals("certIssue")) {
            CustomerSysCertDO customerSysCert = this.customerSysCertCache.getCustomerSysCert(str);
            if (customerSysCert == null) {
                return null;
            }
            return convert(customerSysCert);
        }
        if (str2.equals("certUpdate")) {
            logger.info("证书更新");
            return buildCertInfo(str);
        }
        if (!str2.equals("certConfirm")) {
            logger.error("中间件服务Header验签，不支持的方法:{}", str2);
            return null;
        }
        CustomerSysCertDO customerSysCert2 = this.customerSysCertCache.getCustomerSysCert(str);
        logger.info("证书确认");
        return customerSysCert2 == null ? buildCertInfo(str) : convert(customerSysCert2);
    }

    private CertInfoDTO buildCertInfo(String str) {
        Map<String, Object> certOptionMap = certOptionMap(str);
        if (certOptionMap == null) {
            return null;
        }
        CertInfoDTO certInfoDTO = new CertInfoDTO();
        certInfoDTO.setSn((String) certOptionMap.get("sn"));
        certInfoDTO.setSubject((String) certOptionMap.get("subject"));
        certInfoDTO.setSignAlg((String) certOptionMap.get("sigAlgName"));
        certInfoDTO.setStatus(((Integer) certOptionMap.get(BindTag.STATUS_VARIABLE_NAME)).intValue());
        try {
            certInfoWrapPublicKey(certInfoDTO, (String) certOptionMap.get("subjectPublicKeyInfo"));
            certInfoDTO.setData("");
            return certInfoDTO;
        } catch (Exception e) {
            logger.error("证书更新业务验签阶段，从ca获取证书公钥解析组装异常" + e.getMessage());
            return null;
        }
    }

    private void certInfoWrapPublicKey(CertInfoDTO certInfoDTO, String str) throws Exception {
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(Hex.decode(Strings.toByteArray(str)));
        if (SM2ObjectIdentifiers.sm2256.equals(subjectPublicKeyInfo.getAlgorithm().getParameters())) {
            wrapSm2PublicKey(certInfoDTO, subjectPublicKeyInfo);
            return;
        }
        if (NISTObjectIdentifiers.nist256.equals(subjectPublicKeyInfo.getAlgorithm().getParameters()) || NISTObjectIdentifiers.nist384.equals(subjectPublicKeyInfo.getAlgorithm().getParameters()) || NISTObjectIdentifiers.nist512.equals(subjectPublicKeyInfo.getAlgorithm().getParameters())) {
            wrapNistPublicKey(certInfoDTO, subjectPublicKeyInfo);
        } else if (EdECObjectIdentifiers.id_Ed25519.equals(subjectPublicKeyInfo.getAlgorithm().getAlgorithm())) {
            wrapEd25519PublicKey(certInfoDTO, subjectPublicKeyInfo);
        } else {
            wrapRsaPublicKey(certInfoDTO, subjectPublicKeyInfo);
        }
    }

    private void wrapEd25519PublicKey(CertInfoDTO certInfoDTO, SubjectPublicKeyInfo subjectPublicKeyInfo) throws Exception {
        certInfoDTO.setKeyAlg(KeyAlgEnum.ED25519.value);
        certInfoDTO.setPublicKey(KeyFactory.getInstance("Ed25519", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded())));
    }

    private void wrapNistPublicKey(CertInfoDTO certInfoDTO, SubjectPublicKeyInfo subjectPublicKeyInfo) throws Exception {
        certInfoDTO.setKeyAlg(KeyAlgEnum.NIST.value);
        certInfoDTO.setPublicKey(KeyFactory.getInstance("EC", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded())));
    }

    private Map<String, Object> certOptionMap(String str) {
        Result certDetailInfoBySingSn = this.caBusinessManager.getCertDetailInfoBySingSn(str);
        if (!certDetailInfoBySingSn.isSuccess()) {
            logger.info("根据sn查询CA服务返回数据为null");
            return null;
        }
        String str2 = (String) certDetailInfoBySingSn.getInfo();
        logger.info("根据sn查询CA服务返回数据:" + str2);
        return (Map) JsonUtils.json2Object(str2, Map.class);
    }

    private void wrapSm2PublicKey(CertInfoDTO certInfoDTO, SubjectPublicKeyInfo subjectPublicKeyInfo) throws Exception {
        certInfoDTO.setKeyAlg(KeyAlgEnum.SM2.value);
        certInfoDTO.setPublicKey(KeyFactory.getInstance("EC", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded())));
    }

    private void wrapRsaPublicKey(CertInfoDTO certInfoDTO, SubjectPublicKeyInfo subjectPublicKeyInfo) throws Exception {
        certInfoDTO.setKeyAlg(KeyAlgEnum.RSA.value);
        certInfoDTO.setPublicKey(KeyFactory.getInstance("RSA", (Provider) new BouncyCastleProvider()).generatePublic(new X509EncodedKeySpec(subjectPublicKeyInfo.getEncoded())));
    }

    private CertInfoDTO convert(CustomerSysCertDO customerSysCertDO) {
        CertInfoDTO certInfoDTO = new CertInfoDTO();
        X509Certificate certFromStr = CertUtils.getCertFromStr(customerSysCertDO.getCertInfo());
        certInfoDTO.setPublicKey(certFromStr.getPublicKey());
        certInfoDTO.setSn(customerSysCertDO.getCertSn());
        certInfoDTO.setStatus(customerSysCertDO.getCertStatus().intValue());
        certInfoDTO.setSignAlg(customerSysCertDO.getSignAlg());
        String sigAlgOID = certFromStr.getSigAlgOID();
        if (sigAlgOID.equals(EdECObjectIdentifiers.id_Ed25519.getId())) {
            certInfoDTO.setKeyAlg(KeyAlgEnum.ED25519.value);
        } else if (sigAlgOID.contains(NISTObjectIdentifiers.ansi_X9_62.getId())) {
            certInfoDTO.setKeyAlg(KeyAlgEnum.NIST.value);
        } else if (sigAlgOID.contains(RsaObjectIdentifiers.rsaAlgorithm.getId())) {
            certInfoDTO.setKeyAlg(KeyAlgEnum.RSA.value);
        } else {
            certInfoDTO.setKeyAlg(KeyAlgEnum.SM2.value);
        }
        certInfoDTO.setData(customerSysCertDO.getCertInfo());
        certInfoDTO.setSubject(customerSysCertDO.getCertDn());
        return certInfoDTO;
    }

    private boolean verify(int i, int i2, PublicKey publicKey, byte[] bArr, byte[] bArr2) {
        boolean z = false;
        logger.info("keyAlg:" + i + " digestAlg:" + i2);
        try {
            z = (0 == CommonVariable.getIsHsm().intValue() || i == com.xdja.pki.ra.core.commonenum.KeyAlgEnum.ED25519.value) ? HsmUtils.verifyByBCWithAlgId(i2, i, publicKey, bArr, bArr2) : HsmUtils.verifyByYunHsmWithAlgId(i2, i, publicKey, bArr, bArr2);
        } catch (Exception e) {
            logger.error(" =================== 加密机验签异常{}", e.toString());
        }
        if (!z) {
            logger.info(" =================== 加密机验签失败");
        }
        logger.info("=========================== " + z);
        return z;
    }
}
