package com.xdja.ra.helper;

import com.alibaba.fastjson.JSON;
import com.xdja.pki.apache.client.core.ClientKeyStoreConfig;
import com.xdja.pki.apache.client.result.AdaptClientResult;
import com.xdja.pki.apache.client.result.RAClientResult;
import com.xdja.pki.apache.client.utils.ApacheClientHttpUtils;
import com.xdja.pki.core.json.JsonUtils;
import com.xdja.pki.gmssl.core.utils.GMSSLBCSignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLRSASignUtils;
import com.xdja.pki.gmssl.crypto.utils.GMSSLSM2SignUtils;
import com.xdja.pki.gmssl.sdf.SdfSDKException;
import com.xdja.pki.gmssl.x509.utils.bean.GMSSLSignatureAlgorithm;
import com.xdja.ra.asn1.DigestObjectIdentifiers;
import com.xdja.ra.asn1.NISTObjectIdentifiers;
import com.xdja.ra.asn1.RsaObjectIdentifiers;
import com.xdja.ra.asn1.SM2ObjectIdentifiers;
import com.xdja.ra.asn1.SignedAndEnvelopedData;
import com.xdja.ra.asn1.SymmetryObjectIdentifiers;
import com.xdja.ra.bean.BaseCMPInfo;
import com.xdja.ra.bean.ErrorMsg;
import com.xdja.ra.bean.Result;
import com.xdja.ra.bean.UserCertRep;
import com.xdja.ra.constant.SdkCommonVariable;
import com.xdja.ra.constant.SdkConstants;
import com.xdja.ra.error.ErrorEnum;
import com.xdja.ra.sdk.SDKService;
import com.xdja.ra.utils.CertUtils;
import com.xdja.ra.utils.DnUtil;
import com.xdja.ra.utils.SdkBCUtils;
import com.xdja.ra.utils.SdkCertUtils;
import com.xdja.ra.vo.FreeText;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.RSAPublicKeySpec;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertConfirmContent;
import org.bouncycastle.asn1.cmp.CertOrEncCert;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.CertResponse;
import org.bouncycastle.asn1.cmp.CertStatus;
import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.KeyRecRepContent;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIFreeText;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatus;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.asn1.cms.EncryptedContentInfo;
import org.bouncycastle.asn1.cms.IssuerAndSerialNumber;
import org.bouncycastle.asn1.cms.KeyTransRecipientInfo;
import org.bouncycastle.asn1.cms.RecipientIdentifier;
import org.bouncycastle.asn1.cms.SignerIdentifier;
import org.bouncycastle.asn1.cms.SignerInfo;
import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
import org.bouncycastle.asn1.crmf.CertReqMessages;
import org.bouncycastle.asn1.crmf.CertReqMsg;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.crmf.Controls;
import org.bouncycastle.asn1.crmf.EncryptedValue;
import org.bouncycastle.asn1.crmf.ProofOfPossession;
import org.bouncycastle.asn1.nist.NISTNamedCurves;
import org.bouncycastle.asn1.sec.SECObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jce.X509KeyUsage;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.BigIntegers;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/xdja/ra/helper/PKIMessageHelper.class */
public class PKIMessageHelper {
    private static Logger logger = LoggerFactory.getLogger(PKIMessageHelper.class);
    public static final String CERT_HEAD = "-----BEGIN CERTIFICATE-----";
    public static final String CERT_TAIL = "-----END CERTIFICATE-----";

    public static Result checkCmpHeaderAndSign(byte[] bArr, String str, byte[] bArr2) {
        PKIMessage pKIMessage = PKIMessage.getInstance(bArr);
        if (pKIMessage == null) {
            logger.info(" =================== No pkiMessage response message.");
            return Result.failure(ErrorEnum.NO_PKI_MESSAGE_RESP_MESSAGE);
        }
        PKIHeader header = pKIMessage.getHeader();
        if (header == null) {
            logger.info(" =================== No header in response message.");
            return Result.failure(ErrorEnum.NO_HEADER_IN_RESPONSE_MESSAGE);
        }
        if (header.getRecipNonce().getOctets().length != 16) {
            logger.info("检查消息头和签名 ====== Wrong length of received recip nonce (made up by server). Is " + header.getRecipNonce().getOctets().length + " byte but should be 16.");
            return Result.failure(ErrorEnum.WRONG_LEN_OF_RECEIVED_RECIP_NONCE);
        }
        logger.info("第三方唯一标识normal ========== " + header.getRecipient().getName().toString());
        if (!str.equalsIgnoreCase(new String(header.getTransactionID().getOctets()))) {
            logger.info(" =================== transid is not the same as the one we sent");
            return Result.failure(ErrorEnum.TRANS_ID_IS_NOT_THE_SAME_AS_WE_SENT);
        }
        if (header.getSenderNonce().getOctets().length != 16) {
            logger.info(" =================== Wrong length of received sender nonce (made up by server). Is " + header.getSenderNonce().getOctets().length + " byte but should be 16.");
            return Result.failure(ErrorEnum.WRONG_LEN_OF_RECEIVED_SENDER_NONCE);
        }
        if (!Arrays.equals(header.getSenderNonce().getOctets(), bArr2)) {
            logger.info(" =================== recipient nonce not the same as we sent away as the sender nonce. Sent: " + Arrays.toString(bArr2) + " Received: " + Arrays.toString(header.getRecipNonce().getOctets()));
            return Result.failure(ErrorEnum.RECIPIENT_NONCE_NOT_THE_SAME_AS_WE_SENT);
        }
        AlgorithmIdentifier protectionAlg = header.getProtectionAlg();
        String id = protectionAlg.getAlgorithm().getId();
        if (protectionAlg == null || protectionAlg.getAlgorithm() == null || protectionAlg.getAlgorithm().getId() == null) {
            logger.info("检查消息头和签名 ======  Not possible to get algorithm.");
            return Result.failure(ErrorEnum.NO_PROTECTION_ALG_IN_PKI_HEADER);
        }
        logger.debug("检查消息头和签名 ====== 校验签名值");
        try {
            try {
                boolean verifyCertByBC = SdkBCUtils.verifyCertByBC(id, convertDerCertToCert(pKIMessage.getExtraCerts()[0].getEncoded()).getPublicKey(), getProtectedBytes(header, pKIMessage.getBody()), pKIMessage.getProtection().getBytes());
                logger.info("验签结果 ====== " + verifyCertByBC);
                if (verifyCertByBC) {
                    return Result.success(null);
                }
                logger.info("检查消息头和签名 ====== verify_pki_message_protection_error");
                return Result.failure(ErrorEnum.VERIFY_PKI_MESSAGE_PROTECTION_ERROR);
            } catch (Exception e) {
                logger.error("验证resp消息异常", e);
                return Result.failure(ErrorEnum.VERIFY_RESP_MESSAGE_ERROR);
            }
        } catch (IOException e2) {
            logger.error("验证证书转换异常", e2);
            return Result.failure(ErrorEnum.VERIFY_CERT_CONVERSION_ERROR);
        }
    }

    public static Result genErrorPKIMsg(String str, PrivateKey privateKey, X509Certificate[] x509CertificateArr, X509Certificate x509Certificate, String str2, int i, byte[] bArr, byte[] bArr2, String str3, String str4, ASN1ObjectIdentifier aSN1ObjectIdentifier, ClientKeyStoreConfig clientKeyStoreConfig) {
        Result result = new Result();
        logger.info("发送错误消息 ======== 1.封装ErrorMsgContent结构体");
        try {
            ErrorMsgContent genErrorMsgContent = genErrorMsgContent(PKIStatus.rejection, str2, i);
            FreeText freeText = new FreeText();
            freeText.setSignSn(SDKService.config.getUserCertSn().toLowerCase());
            logger.debug("发送错误消息 ======== 2.封装PKIMesage结构体");
            try {
                PKIMessage genPKIMessage = genPKIMessage(privateKey, str, 23, bArr, bArr2, str3, genErrorMsgContent, aSN1ObjectIdentifier, JSON.toJSONString(freeText), x509Certificate);
                logger.debug("发送错误消息 ======== 3.发送证书错误消息");
                try {
                    RAClientResult clientResponse = AdaptClientResult.getClientResponse(ApacheClientHttpUtils.sendApacheClientRequest(genPKIMessage.getEncoded(), (Map) null, (Map) null, str4, "application/pkixcmp", SDKService.config.getSignName(), SDKService.config.isHttps(), "post", SDKService.config.isUseHsm(), (ClientKeyStoreConfig) null));
                    if (!clientResponse.isSuccess().booleanValue()) {
                        result.setErrorMsg(new ErrorMsg(clientResponse.getErrorMsg().getErrorCode(), clientResponse.getErrorMsg().getErrorMsg()));
                        return result;
                    }
                    result.setInfo(clientResponse.getInfo());
                    logger.debug("发送错误消息 ========正常结束");
                    return result;
                } catch (Exception e) {
                    logger.error(" ============= 发送证书错误Http请求异常:{}", e.getMessage());
                    return Result.failure(ErrorEnum.SEND_HTTP_MESSAGE_EXCEPTION);
                }
            } catch (Exception e2) {
                logger.error("=============== 封装ErrorMsg的PKIMessage异常{}", e2);
                return Result.failure(ErrorEnum.MAKE_PKI_MESSAGE_EXCEPTION);
            }
        } catch (Exception e3) {
            logger.error("=============== 封装ErrorMsgContent异常{}", e3);
            return Result.failure(ErrorEnum.ERROR_MSG_CONTENT_EXCEPTION);
        }
    }

    public static Result resolveVarietyRepMessage(byte[] bArr, String str, int i) {
        Result result = new Result();
        PKIBody body = PKIMessage.getInstance(bArr).getBody();
        logger.debug("CMP返回body体的tagNo:" + body.getType());
        if (body.getType() == 1 || body.getType() == 3) {
            try {
                Result resolveCertRepMessage = resolveCertRepMessage(body, str);
                if (resolveCertRepMessage.isSuccess().booleanValue()) {
                    result.setInfo(resolveCertRepMessage.getInfo());
                    return result;
                }
                result.setErrorMsg(resolveCertRepMessage.getErrorMsg());
                return result;
            } catch (Exception e) {
                logger.error("解析CertRepMessage异常{}", e);
                return Result.failure(ErrorEnum.RESOLVE_CERT_REP_MESSAGE_EXCEPTION);
            }
        }
        if (body.getType() == 10) {
            try {
                result.setInfo(resolveKeyRecRepContent(body).getInfo());
            } catch (Exception e2) {
                logger.error("解析KeyRecRepContent异常", e2);
                return Result.failure(ErrorEnum.RESOLVE_REV_REP_CONTENT_EXCEPTION);
            }
        } else {
            if (body.getType() != 12) {
                logger.debug("Cert body tag is:" + body.getType());
                return Result.failure(ErrorEnum.RA_NOT_SUPPORT_THIS_CERT_BODY_TAG);
            }
            try {
                result.setInfo(resolveRevRepContent(body).getInfo());
            } catch (Exception e3) {
                logger.error("解析RevRepContent异常{}", e3);
                return Result.failure(ErrorEnum.RESOLVE_REV_REP_CONTENT_EXCEPTION);
            }
        }
        return result;
    }

    private static Result resolveKeyRecRepContent(PKIBody pKIBody) {
        Result result = new Result();
        KeyRecRepContent content = pKIBody.getContent();
        PKIStatusInfo status = content.getStatus();
        UserCertRep userCertRep = new UserCertRep();
        if (0 == status.getStatus().intValue()) {
            logger.info("==========RA返回的恢复成功=========");
            logger.trace("==========提取签名证书=========");
            Result checkCMPCert = checkCMPCert(content.getNewSigCert());
            if (!checkCMPCert.isSuccess().booleanValue()) {
                result.setErrorMsg(checkCMPCert.getErrorMsg());
                return result;
            }
            X509Certificate x509Certificate = (X509Certificate) checkCMPCert.getInfo();
            userCertRep.setSignCert(SdkCertUtils.certToFullB64(x509Certificate));
            logger.trace("==========提取加密证书=========");
            CertifiedKeyPair[] keyPairHist = content.getKeyPairHist();
            CertOrEncCert certOrEncCert = keyPairHist[0].getCertOrEncCert();
            if (certOrEncCert == null) {
                logger.info("No CertOrEncCert for certificate received.");
                return Result.failure(ErrorEnum.NO_CERT_OR_ENC_CERT_FOR_RECEIVED);
            }
            Result checkCMPCert2 = checkCMPCert(certOrEncCert.getCertificate());
            if (!checkCMPCert2.isSuccess().booleanValue()) {
                result.setErrorMsg(checkCMPCert2.getErrorMsg());
                return result;
            }
            userCertRep.setEncCert(SdkCertUtils.certToFullB64((X509Certificate) checkCMPCert2.getInfo()));
            EncryptedValue privateKey = keyPairHist[0].getPrivateKey();
            if (privateKey == null) {
                logger.info("No encPprKey for certificate received.");
                return Result.failure(ErrorEnum.NO_CERTIFIED_KEY_PAIR_FOR_RECEIVED);
            }
            if (privateKey != null) {
                try {
                    userCertRep.setEncPriKey(Base64.toBase64String(buildSignedAndEnvelopedData(x509Certificate, privateKey, SDKService.config.getUserCertSn()).getDEREncoded()));
                } catch (Exception e) {
                    logger.error("Build SignedAndEnvelopedData From Encryptedvalue Exception.", e);
                    return Result.failure(ErrorEnum.NO_CERT_OR_ENC_CERT_FOR_RECEIVED);
                }
            }
            result.setInfo(userCertRep);
        } else {
            logger.debug("RA返回的恢复失败,原因:{}", status.getStatusString().getStringAt(0).toString());
            result.setInfo("恢复失败");
        }
        return result;
    }

    public static Result resolveRevRepContent(PKIBody pKIBody) {
        Result result = new Result();
        PKIStatusInfo[] status = pKIBody.getContent().getStatus();
        if (0 == status[0].getStatus().intValue()) {
            logger.debug("==========RA返回的撤销成功=========");
            result.setInfo("撤销成功");
        } else {
            logger.debug("RA返回的撤销失败,原因:" + status[0].getStatusString().getStringAt(0).toString());
            result.setInfo("撤销失败");
        }
        return result;
    }

    public static Result checkCMPCert(CMPCertificate cMPCertificate) {
        if (cMPCertificate == null) {
            logger.debug("No X509CertificateStructure for certificate received.");
            return Result.failure(ErrorEnum.NO_X509_CERT_FOR_RECEIVED);
        }
        byte[] bArr = new byte[0];
        try {
            byte[] encoded = cMPCertificate.getEncoded();
            if (encoded == null || encoded.length <= 0) {
                logger.debug("No encoded certificate received");
                return Result.failure(ErrorEnum.NO_ENCODE_CERT_FOR_RECEIVED);
            }
            try {
                return Result.success(SdkCertUtils.convertDerCertToCert(encoded));
            } catch (Exception e) {
                logger.error("Not possible to create certificate.{}", e);
                return Result.failure(ErrorEnum.NOT_POSSIBLE_TO_CREATE_CERT);
            }
        } catch (IOException e2) {
            logger.debug("CMPCertificate Encode Exception.{}", e2);
            return Result.failure(ErrorEnum.CMP_CERT_ENCODE_EXCEPTION);
        }
    }

    public static Result resolveCertRepMessage(PKIBody pKIBody, String str) throws IOException {
        boolean z;
        Result result = new Result();
        CertRepMessage content = pKIBody.getContent();
        if (content == null) {
            logger.debug("============== No CertRepMessage for certificate received.");
            return Result.failure(ErrorEnum.NO_CERT_REQ_MESSAGE_RECEIVED);
        }
        CertResponse[] response = content.getResponse();
        UserCertRep userCertRep = new UserCertRep();
        for (CertResponse certResponse : response) {
            if (certResponse == null) {
                logger.debug("============== No CertResponse for certificate received.");
                return Result.failure(ErrorEnum.NO_CERT_RESPONSE_MESSAGE_RECEIVED);
            }
            PKIStatusInfo status = certResponse.getStatus();
            if (status == null) {
                logger.debug("No PKIStatusInfo for certificate received.");
                return Result.failure(ErrorEnum.NO_PKI_STATUS_INFO_FOR_RECEIVE);
            }
            int intValue = status.getStatus().intValue();
            if (intValue != 0) {
                DERUTF8String stringAt = status.getStatusString().getStringAt(0);
                logger.error("Received Status is " + intValue + " but should be 0 because " + stringAt);
                int intValue2 = status.getFailInfo().intValue();
                return SdkConstants.ERROR_CODE_300.equals(String.valueOf(intValue2).substring(0, 3)) ? Result.failure(ErrorEnum.RA_OPEN_API_INNER_EXCEPTION) : getHashSet().contains(Integer.valueOf(intValue2)) ? Result.failure(ErrorEnum.RA_SERVICE_INNER_EXCEPTION) : (intValue2 < 20502 || intValue2 > 20506) ? Result.failure(Integer.valueOf(intValue2), stringAt.toString()) : Result.failure(ErrorEnum.CA_RETURN_USER_CERT_INFO_ERROR);
            }
            CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
            if (certifiedKeyPair == null) {
                logger.debug("No CertifiedKeyPair for certificate received.");
                return Result.failure(ErrorEnum.NO_CERTIFIED_KEY_PAIR_FOR_RECEIVED);
            }
            CertOrEncCert certOrEncCert = certifiedKeyPair.getCertOrEncCert();
            if (certOrEncCert == null) {
                logger.debug("No CertOrEncCert for certificate received.");
                return Result.failure(ErrorEnum.NO_CERT_OR_ENC_CERT_FOR_RECEIVED);
            }
            CMPCertificate certificate = certOrEncCert.getCertificate();
            BaseCMPInfo baseCMPInfo = (BaseCMPInfo) SdkCommonVariable.getHeaderMap().get(str);
            if (logger.isDebugEnabled()) {
                logger.debug("RASDK get baseCMPInfo:[{}]", JsonUtils.object2Json(baseCMPInfo));
            }
            if (baseCMPInfo == null) {
                if (logger.isDebugEnabled()) {
                    logger.debug(" ============= No ra send transId.");
                }
                return Result.failure(ErrorEnum.NO_RA_SEND_TRANS_ID);
            }
            long requestId = baseCMPInfo.getRequestId();
            long longValue = certResponse.getCertReqId().getValue().longValue();
            if (longValue == requestId) {
                z = true;
            } else {
                if (longValue != -1) {
                    logger.debug("=============== Received CertReqId is " + longValue + " but should be " + requestId);
                    return Result.failure(ErrorEnum.RA_RECEIVED_CERT_REQ_ID_IS_ERROR);
                }
                z = false;
            }
            Result checkCMPCert = checkCMPCert(certificate);
            if (!checkCMPCert.isSuccess().booleanValue()) {
                result.setErrorMsg(checkCMPCert.getErrorMsg());
                return result;
            }
            if (z) {
                userCertRep.setSignCert(SdkCertUtils.certToFullB64((X509Certificate) checkCMPCert.getInfo()));
            } else {
                userCertRep.setEncCert(SdkCertUtils.certToFullB64((X509Certificate) checkCMPCert.getInfo()));
            }
            if (certifiedKeyPair.getPrivateKey() != null) {
                userCertRep.setEncPriKey(new String(ASN1OctetString.getInstance(ASN1Sequence.getInstance(certResponse.getEncoded()).getObjectAt(3)).getOctets()));
            }
        }
        return Result.success(userCertRep);
    }

    private static HashSet getHashSet() {
        HashSet hashSet = new HashSet();
        hashSet.add(20339);
        hashSet.add(20340);
        hashSet.add(20317);
        hashSet.add(20403);
        hashSet.add(20334);
        hashSet.add(20328);
        return hashSet;
    }

    public static void main(String[] strArr) {
        if (SdkConstants.ERROR_CODE_300.equals(String.valueOf(100001).substring(0, 3))) {
            System.out.println(1111);
            return;
        }
        if (getHashSet().contains(100001)) {
            System.out.println(2222);
        } else if (100001 < 20502 || 100001 > 20506) {
            System.out.println(4444);
        } else {
            System.out.println(3333);
        }
    }

    public static CertRequest genCertRequest(byte[] bArr, ASN1ObjectIdentifier aSN1ObjectIdentifier, long j, int i) throws Exception {
        CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
        certTemplateBuilder.setVersion(1);
        certTemplateBuilder.setSigningAlg(new AlgorithmIdentifier(aSN1ObjectIdentifier));
        SubjectPublicKeyInfo subjectPublicKeyInfo = null;
        if (bArr != null) {
            if (SM2ObjectIdentifiers.sm2SignWithSm3.equals(aSN1ObjectIdentifier)) {
                subjectPublicKeyInfo = i == 2 ? SubjectPublicKeyInfo.getInstance(bArr) : SubjectPublicKeyInfo.getInstance(SdkCertUtils.convertSM2PublicKey(Base64.toBase64String(bArr)).getEncoded());
            } else if (!NISTObjectIdentifiers.nistSignAlgorithm.equals(aSN1ObjectIdentifier)) {
                subjectPublicKeyInfo = i == 2 ? SubjectPublicKeyInfo.getInstance(bArr) : SubjectPublicKeyInfo.getInstance(KeyFactory.getInstance("RSA", (Provider) new BouncyCastleProvider()).generatePublic(new RSAPublicKeySpec(BigIntegers.fromUnsignedByteArray(bArr), BigInteger.valueOf(65537L))).getEncoded());
            } else if (i == 2) {
                try {
                    subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(bArr);
                } catch (Exception e) {
                    subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(SdkCertUtils.convertECPublicKey(Base64.toBase64String(bArr), NISTNamedCurves.getName(SECObjectIdentifiers.secp256r1)).getEncoded());
                }
            }
        }
        certTemplateBuilder.setPublicKey(subjectPublicKeyInfo);
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        int i2 = 0;
        if (i == 2) {
            i2 = 192;
        } else if (i == 3) {
            i2 = 56;
        }
        try {
            extensionsGenerator.addExtension(Extension.keyUsage, false, new X509KeyUsage(i2));
            certTemplateBuilder.setExtensions(extensionsGenerator.generate());
            return new CertRequest(new ASN1Integer(j), certTemplateBuilder.build(), (Controls) null);
        } catch (IOException e2) {
            logger.info("封装CertRequest的扩展信息异常{}", e2);
            throw new IOException();
        }
    }

    public static CertReqMessages genCertReqMessages(CertRequest[] certRequestArr) {
        CertReqMsg[] certReqMsgArr = new CertReqMsg[certRequestArr.length];
        for (int i = 0; i < certRequestArr.length; i++) {
            if (certRequestArr[i] != null) {
                certReqMsgArr[i] = new CertReqMsg(certRequestArr[i], (ProofOfPossession) null, (AttributeTypeAndValue[]) null);
            }
        }
        return new CertReqMessages(certReqMsgArr);
    }

    public static PKIMessage genPKIMessage(PrivateKey privateKey, String str, int i, byte[] bArr, byte[] bArr2, String str2, ASN1Encodable aSN1Encodable, ASN1ObjectIdentifier aSN1ObjectIdentifier, String str3, X509Certificate x509Certificate) throws Exception {
        PKIBody pKIBody = new PKIBody(i, aSN1Encodable);
        PKIHeaderBuilder pKIHeaderBuilder = new PKIHeaderBuilder(1, new GeneralName(6, str), new GeneralName(6, "RA"));
        pKIHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
        pKIHeaderBuilder.setSenderNonce(new DEROctetString(bArr2));
        pKIHeaderBuilder.setRecipNonce(new DEROctetString(bArr));
        pKIHeaderBuilder.setTransactionID(str2.getBytes());
        pKIHeaderBuilder.setProtectionAlg(new AlgorithmIdentifier(aSN1ObjectIdentifier));
        if (str3 != null) {
            pKIHeaderBuilder.setFreeText(new PKIFreeText(str3));
        }
        PKIHeader build = pKIHeaderBuilder.build();
        if (privateKey == null) {
            throw new Exception("第三方签名私钥为空");
        }
        logger.info("被签名计算的原始数据：" + Base64.toBase64String(getProtectedBytes(build, pKIBody)));
        String signByBC = aSN1ObjectIdentifier.getId().equalsIgnoreCase(SM2ObjectIdentifiers.sm2SignWithSm3.getId()) ? GMSSLSM2SignUtils.signByBC(privateKey, Base64.toBase64String(getProtectedBytes(build, pKIBody))) : aSN1ObjectIdentifier.getId().equalsIgnoreCase(RsaObjectIdentifiers.sha256WithRSA.getId()) ? GMSSLRSASignUtils.signByBC(GMSSLSignatureAlgorithm.SHA256_WITH_RSA.getSigAlgName(), privateKey, Base64.toBase64String(getProtectedBytes(build, pKIBody))) : aSN1ObjectIdentifier.getId().equalsIgnoreCase(RsaObjectIdentifiers.sha1WithRSA.getId()) ? GMSSLRSASignUtils.signByBC(GMSSLSignatureAlgorithm.SHA1_WITH_RSA.getSigAlgName(), privateKey, Base64.toBase64String(getProtectedBytes(build, pKIBody))) : Base64.toBase64String(GMSSLBCSignUtils.generateSignature(GMSSLSignatureAlgorithm.SHA256_WITH_ECDSA.getSigAlgName(), privateKey, getProtectedBytes(build, pKIBody)));
        if (StringUtils.isBlank(signByBC)) {
            throw new Exception("使用BC签名失败");
        }
        logger.info("签名值：" + signByBC);
        return new PKIMessage(build, pKIBody, new DERBitString(Base64.decode(signByBC)), getCMPCert(x509Certificate));
    }

    public static byte[] getProtectedBytes(PKIHeader pKIHeader, PKIBody pKIBody) {
        byte[] bArr = null;
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(pKIHeader);
        aSN1EncodableVector.add(pKIBody);
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new DEROutputStream(byteArrayOutputStream).writeObject(dERSequence);
            bArr = byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            logger.error(e.getLocalizedMessage(), e);
        }
        return bArr;
    }

    public static CertConfirmContent genCertConfirmContent(String str, long j) {
        CertStatus certStatus = new CertStatus(str.getBytes(), new BigInteger(String.valueOf(j)));
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(certStatus);
        return CertConfirmContent.getInstance(new DERSequence(aSN1EncodableVector));
    }

    private static CMPCertificate[] getCMPCert(Certificate certificate) throws CertificateEncodingException, IOException {
        ASN1InputStream aSN1InputStream = new ASN1InputStream(certificate.getEncoded());
        try {
            CMPCertificate[] cMPCertificateArr = {new CMPCertificate(org.bouncycastle.asn1.x509.Certificate.getInstance(aSN1InputStream.readObject().toASN1Primitive()))};
            aSN1InputStream.close();
            return cMPCertificateArr;
        } catch (Throwable th) {
            aSN1InputStream.close();
            throw th;
        }
    }

    public static ErrorMsgContent genErrorMsgContent(PKIStatus pKIStatus, String str, int i) {
        return new ErrorMsgContent(new PKIStatusInfo(pKIStatus), new ASN1Integer(i), new PKIFreeText(str));
    }

    public static byte[] genRandomByHsm(int i) throws SdfSDKException {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    public static X509Certificate convertDerCertToCert(byte[] bArr) {
        X509Certificate x509Certificate;
        X509Certificate x509Certificate2 = null;
        ByteArrayInputStream byteArrayInputStream = null;
        try {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", (Provider) new BouncyCastleProvider());
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
            } catch (Throwable th) {
                if (null != byteArrayInputStream) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Exception e) {
                        logger.error("关闭文件流异常", e);
                        throw th;
                    }
                }
                throw th;
            }
        } catch (Exception e2) {
            logger.error("证书转换异常", e2);
            if (null != byteArrayInputStream) {
                try {
                    byteArrayInputStream.close();
                } catch (Exception e3) {
                    logger.error("关闭文件流异常", e3);
                }
            }
        }
        if (null != x509Certificate) {
            if (null != byteArrayInputStream) {
                try {
                    byteArrayInputStream.close();
                } catch (Exception e4) {
                    logger.error("关闭文件流异常", e4);
                }
            }
            return x509Certificate;
        }
        String replace = new String(bArr).replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", "").replace("\r", "").replace("\n", "").replace("\\r", "").replace("\\n", "");
        x509Certificate2 = getCertFromB64(replace);
        if (x509Certificate2 == null) {
            x509Certificate2 = getCertFromStr16(replace);
        }
        if (null != byteArrayInputStream) {
            try {
                byteArrayInputStream.close();
            } catch (Exception e5) {
                logger.error("关闭文件流异常", e5);
            }
        }
        return x509Certificate2;
    }

    public static synchronized X509Certificate getCertFromB64(String str) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509", (Provider) new BouncyCastleProvider()).generateCertificate(new ByteArrayInputStream(Base64.decode(str)));
        } catch (Exception e) {
            System.err.println("getCertFromB64 error: " + e.toString());
            return null;
        }
    }

    public static X509Certificate getCertFromStr16(String str) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509", (Provider) new BouncyCastleProvider()).generateCertificate(new ByteArrayInputStream(hex2byte(str)));
        } catch (Exception e) {
            System.err.println("getCertFromFullStr error: " + e.toString());
            return null;
        }
    }

    public static byte[] hex2byte(String str) {
        StringBuffer stringBuffer;
        int length;
        if (null == str || "".equals(str) || (length = (stringBuffer = new StringBuffer(str.trim())).length()) == 0 || length % 2 == 1) {
            return null;
        }
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            try {
                bArr[i / 2] = (byte) Integer.decode("0x" + stringBuffer.substring(i, i + 2)).intValue();
            } catch (Exception e) {
                return null;
            }
        }
        return bArr;
    }

    /* JADX WARN: Type inference failed for: r0v14, types: [byte[], byte[][]] */
    private static SignedAndEnvelopedData buildSignedAndEnvelopedData(X509Certificate x509Certificate, EncryptedValue encryptedValue, String str) throws Exception {
        String subjectByX509Cert = CertUtils.getSubjectByX509Cert(x509Certificate);
        String sigAlgName = x509Certificate.getSigAlgName();
        ASN1Integer aSN1Integer = new ASN1Integer(1L);
        DERSet dERSet = ("SHA-1WithRSA".equalsIgnoreCase(sigAlgName) || "SHA1WithRSA".equalsIgnoreCase(sigAlgName) || "SHA256WithRSA".equalsIgnoreCase(sigAlgName)) ? new DERSet(new AlgorithmIdentifier(DigestObjectIdentifiers.sha1)) : new DERSet(new AlgorithmIdentifier(DigestObjectIdentifiers.sm3));
        DERSet dERSet2 = new DERSet(new KeyTransRecipientInfo(new RecipientIdentifier(new IssuerAndSerialNumber(DnUtil.getRFC4519X500Name(subjectByX509Cert), new BigInteger(str, 16))), encryptedValue.getKeyAlg(), new DEROctetString(encryptedValue.getEncSymmKey().getOctets())));
        EncryptedContentInfo encryptedContentInfo = new EncryptedContentInfo(SymmetryObjectIdentifiers.contentType, encryptedValue.getSymmAlg(), new DEROctetString(encryptedValue.getEncValue()));
        return new SignedAndEnvelopedData(aSN1Integer, dERSet2, dERSet, encryptedContentInfo, null, null, makeSignerInfos(subjectByX509Cert, new BigInteger(str, 16), SdkCertUtils.byteMergerAll(new byte[]{aSN1Integer.getEncoded(), dERSet2.getEncoded(), dERSet.getEncoded(), encryptedContentInfo.getEncoded()})));
    }

    public static ASN1Set makeSignerInfos(String str, BigInteger bigInteger, byte[] bArr) throws Exception {
        AlgorithmIdentifier algorithmIdentifier;
        AlgorithmIdentifier algorithmIdentifier2;
        DEROctetString dEROctetString;
        PrivateKey privateKey = SDKService.config.getPrivateKey();
        SignerIdentifier signerIdentifier = new SignerIdentifier(new IssuerAndSerialNumber(DnUtil.getRFC4519X500Name(str), bigInteger));
        if (privateKey instanceof RSAPrivateKey) {
            algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sha1);
            algorithmIdentifier2 = new AlgorithmIdentifier(RsaObjectIdentifiers.rsaEncryption);
            Signature signature = Signature.getInstance("SHA1WithRSAEncryption", "BC");
            signature.initSign(privateKey);
            signature.update(bArr);
            dEROctetString = new DEROctetString(signature.sign());
        } else {
            algorithmIdentifier = new AlgorithmIdentifier(DigestObjectIdentifiers.sm3);
            algorithmIdentifier2 = new AlgorithmIdentifier(SM2ObjectIdentifiers.sm2256_sign);
            Signature signature2 = Signature.getInstance("SM3withSM2", "BC");
            signature2.initSign(privateKey);
            signature2.update(bArr);
            dEROctetString = new DEROctetString(signature2.sign());
        }
        return new DERSet(new SignerInfo(signerIdentifier, algorithmIdentifier, (ASN1Set) null, algorithmIdentifier2, ASN1OctetString.getInstance(dEROctetString), (ASN1Set) null));
    }
}
