package com.xdja.pki.ra.openapi.core.helper;

import com.xdja.ca.asn1.NISTObjectIdentifiers;
import com.xdja.ca.asn1.SM2EnvelopedData;
import com.xdja.ca.pkcs7.Pkcs7Utils;
import com.xdja.ca.utils.SdkHsmUtils;
import com.xdja.ca.vo.UserCertInfo;
import com.xdja.pki.core.exception.UtilException;
import com.xdja.pki.gmssl.core.utils.GMSSLByteArrayUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLX509Utils;
import com.xdja.pki.ra.core.asn1.HmacObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.RsaObjectIdentifiers;
import com.xdja.pki.ra.core.asn1.SM2ObjectIdentifiers;
import com.xdja.pki.ra.core.common.CommonVariable;
import com.xdja.pki.ra.core.common.Result;
import com.xdja.pki.ra.core.commonenum.ErrorEnum;
import com.xdja.pki.ra.core.constant.Constants;
import com.xdja.pki.ra.core.pkcs7.SignedAndEnvelopedData;
import com.xdja.pki.ra.core.util.cert.CertUtils;
import com.xdja.pki.ra.core.util.cert.HMacUtils;
import com.xdja.pki.ra.core.util.cert.HsmUtils;
import com.xdja.pki.ra.openapi.core.common.CmpRespCertType;
import com.xdja.pki.ra.openapi.core.skf.SKFUtils;
import com.xdja.pki.ra.openapi.core.skf.asn1.SkfNormalUtils;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1OutputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertOrEncCert;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.KeyRecRepContent;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cmp.RevRepContent;
import org.bouncycastle.asn1.cmp.RevRepContentBuilder;
import org.bouncycastle.asn1.cms.EncryptedContentInfo;
import org.bouncycastle.asn1.cms.KeyTransRecipientInfo;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.EncryptedValue;
import org.bouncycastle.asn1.crmf.PKIPublicationInfo;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
import org.bouncycastle.asn1.crmf.ProofOfPossession;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/ra-openapi-core-2.0.1-SNAPSHOT.jar:com/xdja/pki/ra/openapi/core/helper/PKIMessageHelper.class */
public class PKIMessageHelper {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) PKIMessageHelper.class);

    public static Result checkCmpHeaderAndSign(PublicKey publicKey, PKIHeader pKIHeader, byte[] bArr, byte[] bArr2, AlgorithmIdentifier algorithmIdentifier, byte[] bArr3) {
        boolean verifyCertByYunHsmWithOid;
        Result result = new Result();
        if (pKIHeader.getRecipNonce().getOctets().length != 16) {
            logger.info("检查消息头和签名 ====== Wrong length of received recip nonce (made up by server). Is[{}] byte but should be 16.", Integer.valueOf(pKIHeader.getRecipNonce().getOctets().length));
            result.setError(ErrorEnum.WRONG_LEN_OF_RECEIVED_RECIP_NONCE);
            return result;
        }
        if (pKIHeader.getSenderNonce().getOctets().length != 16) {
            logger.info(" =================== Wrong length of received sender nonce (made up by server). Is [{}] byte but should be 16.", Integer.valueOf(pKIHeader.getSenderNonce().getOctets().length));
            result.setError(ErrorEnum.WRONG_LEN_OF_RECEIVED_SENDER_NONCE);
            return result;
        }
        ASN1Encodable name = pKIHeader.getSender().getName();
        logger.debug("第三方系统标识/TboxDeviceNo is:{}", name);
        if (name == null || name.toString().length() > 60) {
            result.setError(ErrorEnum.CMP_REQ_SENDER_IS_ERROR);
            return result;
        }
        AlgorithmIdentifier protectionAlg = pKIHeader.getProtectionAlg();
        if (protectionAlg == null || protectionAlg.getAlgorithm() == null || protectionAlg.getAlgorithm().getId() == null) {
            logger.info("检查消息头和签名 ======  Not possible to get algorithm.");
            result.setError(ErrorEnum.NO_PROTECTION_ALG_IN_PKI_HEADER);
            return result;
        }
        logger.debug("检查消息头和签名 ====== 校验签名值");
        ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
        logger.debug(" ============= RA收到消息的保护数据算法oid:{}", algorithm.getId());
        if (HmacObjectIdentifiers.HmacWithSHA256.getId().equalsIgnoreCase(algorithm.getId())) {
            if (bArr3 == null) {
                result.setError(ErrorEnum.SHARED_KEY_INFO_IS_EMPTY);
                return result;
            }
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("被hmac计算的原始数据：{}", Base64.toBase64String(bArr2));
                    logger.debug("共享密钥：{}", bArr3);
                }
                String hmacSha256 = HMacUtils.hmacSha256(bArr2, bArr3);
                logger.debug("被hmac计算之后的数据：{}", hmacSha256);
                verifyCertByYunHsmWithOid = Arrays.areEqual(bArr, hmacSha256.getBytes());
            } catch (Exception e) {
                logger.error("检查消息头和签名 ====== 对PKIMessage消息体进行hmac计算异常", (Throwable) e);
                result.setError(ErrorEnum.PKI_MESSAGE_HMAC_CALCULATE_EXCEPTION);
                return result;
            }
        } else {
            if (publicKey == null) {
                result.setError(ErrorEnum.THE_PKIMESSAGE_HEADER_NO_EXTRACERTS);
                return result;
            }
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("原始数据:{}", Base64.toBase64String(bArr2));
                    logger.debug("签名之后的数据{}", Base64.toBase64String(bArr));
                }
                verifyCertByYunHsmWithOid = 0 != CommonVariable.getIsHsm().intValue() ? HsmUtils.verifyCertByYunHsmWithOid(algorithm.getId(), publicKey, bArr2, bArr) : HsmUtils.verifyCertByBCWithOid(algorithm.getId(), publicKey, bArr, bArr2);
            } catch (Exception e2) {
                logger.error("检查消息头和签名 ======  Not possible to verify signature", (Throwable) e2);
                result.setError(ErrorEnum.VERIFY_PKI_HEADER_SIGN_EXCEPTION);
                return result;
            }
        }
        if (verifyCertByYunHsmWithOid) {
            return result;
        }
        logger.info("检查消息头和签名 ====== verify_pki_message_protection_error");
        result.setError(ErrorEnum.VERIFY_PKI_MESSAGE_PROTECTION_ERROR);
        return result;
    }

    public static boolean verifyPopoSign(CertRequest certRequest, ProofOfPossession proofOfPossession, PublicKey publicKey) throws Exception {
        POPOSigningKey object = proofOfPossession.getObject();
        ASN1Encodable poposkInput = object.getPoposkInput();
        ASN1Encodable aSN1Encodable = poposkInput;
        if (logger.isDebugEnabled()) {
            logger.debug("Using POPOSigningKeyInput as POPO input.");
        }
        X500Name subject = certRequest.getCertTemplate().getSubject();
        if (subject != null && !subject.toString().equals(poposkInput.getSender().getName().toString())) {
            logger.error("Subject [{}], is not equal to [{}].", subject, poposkInput.getSender());
            aSN1Encodable = null;
        }
        SubjectPublicKeyInfo publicKey2 = certRequest.getCertTemplate().getPublicKey();
        if (publicKey2 != null && !Arrays.areEqual(publicKey2.getEncoded(), poposkInput.getPublicKey().getEncoded())) {
            logger.info("Subject key in cert template, is not equal to subject key in POPOSigningKeyInput.");
            aSN1Encodable = null;
        }
        if (aSN1Encodable == null) {
            return false;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ASN1OutputStream.create(byteArrayOutputStream).writeObject(aSN1Encodable);
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        AlgorithmIdentifier algorithmIdentifier = object.getAlgorithmIdentifier();
        if (logger.isDebugEnabled()) {
            logger.debug("POP protection bytes length: {}", byteArray != null ? Integer.valueOf(byteArray.length) : "null");
            logger.debug("POP algorithm identifier is: {}", algorithmIdentifier.getAlgorithm().getId());
        }
        Signature signature = Signature.getInstance(algorithmIdentifier.getAlgorithm().getId(), "BC");
        signature.initVerify(publicKey);
        signature.update(byteArray);
        return signature.verify(object.getSignature().getBytes());
    }

    public static ErrorMsgContent genErrorMsgContent(PKIStatus pKIStatus, int i, String str) {
        return new ErrorMsgContent(new PKIStatusInfo(pKIStatus), new ASN1Integer(i), new PKIFreeText(str));
    }

    public static PKIMessage generatePKIMessage(GeneralName generalName, GeneralName generalName2, int i, byte[] bArr, byte[] bArr2, String str, ASN1Encodable aSN1Encodable) {
        return generatePKIMessage(generalName, generalName2, i, bArr, bArr2, str, aSN1Encodable, null, null);
    }

    public static PKIMessage generatePKIMessage(GeneralName generalName, GeneralName generalName2, int i, byte[] bArr, byte[] bArr2, String str, ASN1Encodable aSN1Encodable, String str2, String str3) {
        CMPCertificate[] cMPCertificateArr;
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(1, generalName2, generalName);
        pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
        pKIHeaderBuilder.setSenderNonce(new DEROctetString(bArr2));
        pKIHeaderBuilder.setRecipNonce(new DEROctetString(bArr));
        pKIHeaderBuilder.setTransactionID(str.getBytes());
        PKIBody pKIBody = new PKIBody(i, aSN1Encodable);
        if (str2 != null) {
            pKIHeaderBuilder.setFreeText(new PKIFreeText(str2));
        }
        X509Certificate raServiceCert = CommonVariable.getRaServiceCert();
        String sigAlgName = raServiceCert.getSigAlgName();
        String sigAlgOID = raServiceCert.getSigAlgOID();
        logger.debug(" ============== RA封装消息使用的保护算法oid为:{} 保护算法:{}", sigAlgOID, sigAlgName);
        if (sigAlgOID.equalsIgnoreCase(SM2ObjectIdentifiers.sm2SignWithSm3.getId())) {
            pKIHeaderBuilder.setProtectionAlg(new AlgorithmIdentifier(SM2ObjectIdentifiers.sm2SignWithSm3));
        } else if (sigAlgOID.equalsIgnoreCase(RsaObjectIdentifiers.sha1WithRSA.getId())) {
            pKIHeaderBuilder.setProtectionAlg(new AlgorithmIdentifier(RsaObjectIdentifiers.sha1WithRSA));
        } else if (sigAlgOID.equalsIgnoreCase(RsaObjectIdentifiers.sha256WithRSA.getId())) {
            pKIHeaderBuilder.setProtectionAlg(new AlgorithmIdentifier(RsaObjectIdentifiers.sha256WithRSA));
        } else if (sigAlgOID.equalsIgnoreCase(NISTObjectIdentifiers.nistSignAlgorithm.getId())) {
            pKIHeaderBuilder.setProtectionAlg(new AlgorithmIdentifier(NISTObjectIdentifiers.nistSignAlgorithm));
        }
        PKIHeader build = pKIHeaderBuilder.build();
        try {
            String signByYunHsm = (1 == CommonVariable.getIsHsm().intValue() && sigAlgOID.equalsIgnoreCase(SM2ObjectIdentifiers.sm2SignWithSm3.getId())) ? SdkHsmUtils.signByYunHsm(sigAlgName, CommonVariable.getKeyIndex(), CommonVariable.getKeyPwd(), Base64.toBase64String(getProtectedBytes(build, pKIBody))) : SdkHsmUtils.signByBC(sigAlgName, CommonVariable.getRaSignPriKey(), Base64.toBase64String(getProtectedBytes(build, pKIBody)));
            if (str3 != null) {
                try {
                    logger.debug("使用CA证书链验证用户证书");
                    List<X509Certificate> resolveCertChain = Pkcs7Utils.resolveCertChain(str3);
                    cMPCertificateArr = new CMPCertificate[resolveCertChain.size() + 1];
                    cMPCertificateArr[0] = new CMPCertificate(GMSSLX509Utils.convertCertificate(raServiceCert));
                    int i2 = 0 + 1;
                    Iterator<X509Certificate> it = resolveCertChain.iterator();
                    while (it.hasNext()) {
                        cMPCertificateArr[i2] = new CMPCertificate(GMSSLX509Utils.convertCertificate(it.next()));
                        i2++;
                    }
                } catch (Exception e) {
                    throw new UtilException("封装CA证书链证书异常", e);
                }
            } else {
                try {
                    cMPCertificateArr = new CMPCertificate[]{new CMPCertificate(GMSSLX509Utils.convertCertificate(raServiceCert))};
                } catch (Exception e2) {
                    throw new UtilException("封装RA证书链证书异常", e2);
                }
            }
            return new PKIMessage(build, pKIBody, new DERBitString(GMSSLByteArrayUtils.base64Decode(signByYunHsm)), cMPCertificateArr);
        } catch (Exception e3) {
            throw new UtilException("调用密码机签名异常", e3);
        }
    }

    public static byte[] getProtectedBytes(PKIMessage pKIMessage) {
        return getProtectedBytes(pKIMessage.getHeader(), pKIMessage.getBody());
    }

    public static byte[] getProtectedBytes(PKIHeader pKIHeader, PKIBody pKIBody) {
        byte[] bArr = null;
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(pKIHeader);
        aSN1EncodableVector.add(pKIBody);
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            ASN1OutputStream.create(byteArrayOutputStream).writeObject(dERSequence);
            bArr = byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            logger.error(e.getLocalizedMessage(), (Throwable) e);
        }
        return bArr;
    }

    public static RevRepContent genFailRevRepContent(long j, int i, String str) {
        PKIFailureInfo pKIFailureInfo = new PKIFailureInfo(i);
        PKIStatusInfo pKIStatusInfo = new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(str), pKIFailureInfo);
        RevRepContentBuilder revRepContentBuilder = new RevRepContentBuilder();
        revRepContentBuilder.add(pKIStatusInfo);
        return revRepContentBuilder.build();
    }

    public static CertRepMessage genFailCertResponse(long j, int i, String str) {
        return new CertRepMessage((CMPCertificate[]) null, new CertResponse[]{new CertResponse(new ASN1Integer(j), new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(str), new PKIFailureInfo(i)), (CertifiedKeyPair) null, (ASN1OctetString) null)});
    }

    public static CertResponse genCertResponse(long j, UserCertInfo userCertInfo, int i, Integer num) throws Exception {
        CertResponse certResponse = null;
        if (CmpRespCertType.GEN_CERT_RESPONSE_SIGN_CERT_1.value == i) {
            certResponse = new CertResponse(new ASN1Integer(j), new PKIStatusInfo(PKIStatus.granted), new CertifiedKeyPair(new CertOrEncCert(CertUtils.getCMPCert(CertUtils.getCertFromStr(userCertInfo.getSignCert()))[0])), (ASN1OctetString) null);
        } else if (CmpRespCertType.GEN_CERT_RESPONSE_ENC_CERT_AND_ENC_PRI_KEY_2.value == i) {
            X509Certificate certFromStr = CertUtils.getCertFromStr(userCertInfo.getEncCert());
            CertOrEncCert certOrEncCert = new CertOrEncCert(CertUtils.getCMPCert(certFromStr)[0]);
            SignedAndEnvelopedData signedAndEnvelopedData = new SignedAndEnvelopedData(ASN1Sequence.getInstance(Base64.decode(userCertInfo.getEncPriKey())));
            ASN1Set recipientInfos = signedAndEnvelopedData.getRecipientInfos();
            EncryptedContentInfo encryptedContentInfo = signedAndEnvelopedData.getEncryptedContentInfo();
            AlgorithmIdentifier contentEncryptionAlgorithm = encryptedContentInfo.getContentEncryptionAlgorithm();
            ASN1OctetString encryptedContent = encryptedContentInfo.getEncryptedContent();
            KeyTransRecipientInfo keyTransRecipientInfo = KeyTransRecipientInfo.getInstance(recipientInfos.getObjectAt(0));
            certResponse = new CertResponse(new ASN1Integer(-1L), new PKIStatusInfo(PKIStatus.granted), new CertifiedKeyPair(certOrEncCert, new EncryptedValue((AlgorithmIdentifier) null, contentEncryptionAlgorithm, new DERBitString(keyTransRecipientInfo.getEncryptedKey().getOctets()), keyTransRecipientInfo.getKeyEncryptionAlgorithm(), (ASN1OctetString) null, new DERBitString(encryptedContent.getOctets())), (PKIPublicationInfo) null), new DEROctetString(Base64.encode("SM3withSM2".equalsIgnoreCase(certFromStr.getSigAlgName()) ? Constants.KEY_FORMAT_0016_2.equals(num) ? SKFUtils.makeSkf(signedAndEnvelopedData.toASN1Primitive().getEncoded(), certFromStr) : Constants.KEY_FORMAT_0016_NORMAL_3.equals(num) ? SkfNormalUtils.changeSignedAndEnvelopedDataToSkfEnvelopedKeyBlob(certFromStr.getPublicKey(), signedAndEnvelopedData) : signedAndEnvelopedData.toASN1Primitive().getEncoded() : signedAndEnvelopedData.toASN1Primitive().getEncoded())));
        } else if (CmpRespCertType.GEN_CERT_RESPONSE_ENC_CERT_3.value == i) {
            certResponse = new CertResponse(new ASN1Integer(-1L), new PKIStatusInfo(PKIStatus.granted), new CertifiedKeyPair(new CertOrEncCert(CertUtils.getCMPCert(CertUtils.getCertFromStr(userCertInfo.getEncCert()))[0])), (ASN1OctetString) null);
        } else if (CmpRespCertType.GEN_CERT_RESPONSE_ENC_ENC_CERT_4.value == i) {
            SM2EnvelopedData sM2EnvelopedData = SM2EnvelopedData.getInstance(userCertInfo.getEncCert());
            ASN1Set recipientInfos2 = sM2EnvelopedData.getRecipientInfos();
            EncryptedContentInfo encryptedContentInfo2 = sM2EnvelopedData.getEncryptedContentInfo();
            AlgorithmIdentifier contentEncryptionAlgorithm2 = encryptedContentInfo2.getContentEncryptionAlgorithm();
            ASN1OctetString encryptedContent2 = encryptedContentInfo2.getEncryptedContent();
            KeyTransRecipientInfo keyTransRecipientInfo2 = KeyTransRecipientInfo.getInstance(recipientInfos2.getObjectAt(0));
            certResponse = new CertResponse(new ASN1Integer(j), new PKIStatusInfo(PKIStatus.granted), new CertifiedKeyPair(new CertOrEncCert(new EncryptedValue((AlgorithmIdentifier) null, contentEncryptionAlgorithm2, new DERBitString(keyTransRecipientInfo2.getEncryptedKey().getOctets()), keyTransRecipientInfo2.getKeyEncryptionAlgorithm(), (ASN1OctetString) null, new DERBitString(encryptedContent2.getOctets())))), new DEROctetString(Base64.encode(sM2EnvelopedData.getEncoded())));
        }
        return certResponse;
    }

    public static KeyRecRepContent genKeyRecRepContent(UserCertInfo userCertInfo) throws IOException, CertificateEncodingException {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new PKIStatusInfo(PKIStatus.granted));
        aSN1EncodableVector.add(new DERTaggedObject(true, 0, new CMPCertificate(CertUtils.getCMPCert(CertUtils.getCertFromStr(userCertInfo.getSignCert()))[0].getX509v3PKCert())));
        CertOrEncCert certOrEncCert = new CertOrEncCert(CertUtils.getCMPCert(CertUtils.getCertFromStr(userCertInfo.getEncCert()))[0]);
        SignedAndEnvelopedData signedAndEnvelopedData = new SignedAndEnvelopedData(ASN1Sequence.getInstance(Base64.decode(userCertInfo.getEncPriKey())));
        ASN1Set recipientInfos = signedAndEnvelopedData.getRecipientInfos();
        EncryptedContentInfo encryptedContentInfo = signedAndEnvelopedData.getEncryptedContentInfo();
        AlgorithmIdentifier contentEncryptionAlgorithm = encryptedContentInfo.getContentEncryptionAlgorithm();
        ASN1OctetString encryptedContent = encryptedContentInfo.getEncryptedContent();
        KeyTransRecipientInfo keyTransRecipientInfo = KeyTransRecipientInfo.getInstance(recipientInfos.getObjectAt(0));
        CertifiedKeyPair certifiedKeyPair = new CertifiedKeyPair(certOrEncCert, new EncryptedValue((AlgorithmIdentifier) null, contentEncryptionAlgorithm, new DERBitString(keyTransRecipientInfo.getEncryptedKey().getOctets()), keyTransRecipientInfo.getKeyEncryptionAlgorithm(), (ASN1OctetString) null, new DERBitString(encryptedContent.getOctets())), (PKIPublicationInfo) null);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(certifiedKeyPair);
        aSN1EncodableVector.add(new DERTaggedObject(true, 2, new DERSequence(aSN1EncodableVector2)));
        return KeyRecRepContent.getInstance(new DERSequence(aSN1EncodableVector));
    }

    public static KeyRecRepContent genKeyRecRepContent(int i) {
        return KeyRecRepContent.getInstance(new PKIStatusInfo(PKIStatus.getInstance(Integer.valueOf(i))));
    }

    public static KeyRecRepContent genFailKeyRecRepContent(long j, int i, String str) {
        PKIFailureInfo pKIFailureInfo = new PKIFailureInfo(i);
        return KeyRecRepContent.getInstance(new DERSequence(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText(str), pKIFailureInfo)));
    }

    public static RevRepContent genRevRepContent() {
        PKIStatusInfo pKIStatusInfo = new PKIStatusInfo(PKIStatus.granted);
        RevRepContentBuilder revRepContentBuilder = new RevRepContentBuilder();
        revRepContentBuilder.add(pKIStatusInfo);
        return revRepContentBuilder.build();
    }

    public static boolean checkReqPop(CertReqMsg certReqMsg, PublicKey publicKey) {
        ProofOfPossession popo = certReqMsg.getPopo();
        CertRequest certReq = certReqMsg.getCertReq();
        POPOSigningKey object = popo.getObject();
        AlgorithmIdentifier algorithmIdentifier = object.getAlgorithmIdentifier();
        DERBitString signature = object.getSignature();
        try {
            return 0 != CommonVariable.getIsHsm().intValue() ? SdkHsmUtils.verifyCertByYunHsm(algorithmIdentifier.getAlgorithm().getId(), publicKey, certReq.getEncoded(), signature.getBytes()) : SdkHsmUtils.verifyCertByBC(algorithmIdentifier.getAlgorithm().getId(), publicKey, certReq.getEncoded(), signature.getBytes());
        } catch (Exception e) {
            logger.error("验证POP异常", (Throwable) e);
            return false;
        }
    }
}
