package com.xforceplus.taxware.architecture.g1.ofd;

import com.xforceplus.taxware.architecture.g1.endecode.model.ZipFile;
import com.xforceplus.taxware.architecture.g1.ofd.config.OfdVerifyConfig;
import com.xforceplus.taxware.architecture.g1.ofd.exception.VerifyTerminateException;
import com.xforceplus.taxware.architecture.g1.ofd.model.basicStructure.ofd.OFD;
import com.xforceplus.taxware.architecture.g1.ofd.model.basicType.ST_Loc;
import com.xforceplus.taxware.architecture.g1.ofd.model.ses.v4.SES_Signature;
import com.xforceplus.taxware.architecture.g1.ofd.model.ses.v4.SESeal;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.Signature;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.Signatures;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.range.Reference;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.range.References;
import java.io.ByteArrayInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.security.Provider;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.function.Function;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.jcajce.provider.digest.SM3;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.dom4j.DocumentException;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;

/* loaded from: input_file:com/xforceplus/taxware/architecture/g1/ofd/OFDVerifyUtil.class */
public class OFDVerifyUtil {
    public static void doInvoiceOfdVerify(InputStream inputStream, String str, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        if ((null == str || "".equals(str)) && ofdVerifyConfig.isVerifyRootCa()) {
            throw new VerifyTerminateException("验签失败,CA证书Base64信息不能为空");
        }
        doInvoiceOfdVerify(inputStream, new ByteArrayInputStream(Base64.getDecoder().decode(str)), ofdVerifyConfig);
    }

    public static void doInvoiceOfdVerify(InputStream inputStream, InputStream inputStream2, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        if (null == inputStream || (null == inputStream2 && ofdVerifyConfig.isVerifyRootCa())) {
            throw new VerifyTerminateException("验签失败,文件流不能为空");
        }
        ZipFile zipFile = new ZipFile(inputStream);
        ST_Loc signatures = ((OFD) getXmlObj("OFD.xml", zipFile, OFD::new)).getDocBody().getSignatures();
        if (signatures == null) {
            throw new VerifyTerminateException("文件不存在签名信息");
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            X509Certificate x509Certificate = null;
            if (ofdVerifyConfig.isVerifyRootCa()) {
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream2);
            }
            Iterator<Signature> it = ((Signatures) getXmlObj(signatures.getLoc(), zipFile, Signatures::new)).getSignatures().iterator();
            while (it.hasNext()) {
                com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature signature = (com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature) getXmlObj(it.next().getBaseLoc().getLoc(), zipFile, com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature::new);
                verifyReferences(signature.getSignedInfo().getReferences(), zipFile);
                verifySignedValueFile(zipFile.getBytes(formatPath(signature.getSignedValue().getLoc())), zipFile, x509Certificate);
            }
        } catch (FileNotFoundException | DocumentException e) {
            throw new Exception("错误OFD结构和文件格式", e);
        }
    }

    private static void verifySignedValueFile(byte[] bArr, ZipFile zipFile, Certificate certificate) throws Exception {
        SES_Signature sES_Signature = SES_Signature.getInstance(bArr);
        verifySESealSignature(sES_Signature, zipFile, certificate);
        verifySESeal(sES_Signature.getToSign().getEseal(), certificate);
    }

    private static void verifySESealSignature(SES_Signature sES_Signature, ZipFile zipFile, Certificate certificate) throws Exception {
        X509Certificate x509Certificate = (X509Certificate) new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory().engineGenerateCertificate(sES_Signature.getCert().getOctetStream());
        if (!verifySignatureData(sES_Signature.getSignatureAlgID().toString(), x509Certificate, sES_Signature.getToSign().getEncoded("DER"), sES_Signature.getSignature().getBytes())) {
            throw new VerifyTerminateException("签章数据验签失败");
        }
        verifyCertificate(x509Certificate, certificate);
        long time = sES_Signature.getToSign().getTimeInfo().getDate().getTime();
        long time2 = x509Certificate.getNotBefore().getTime();
        long time3 = x509Certificate.getNotAfter().getTime();
        if (time < time2 || time > time3) {
            throw new VerifyTerminateException("签章时间不在证书有效期");
        }
        if (!Arrays.equals(new SM3.Digest().digest(zipFile.getBytes(formatPath(sES_Signature.getToSign().getPropertyInfo().getString()))), sES_Signature.getToSign().getDataHash().getBytes())) {
            throw new VerifyTerminateException("签章数据属性信息验签失败");
        }
    }

    private static void verifySESeal(SESeal sESeal, Certificate certificate) throws Exception {
        if (!"ES".equals(sESeal.geteSealInfo().getHeader().getId().getString())) {
            throw new VerifyTerminateException("电子印章数据标识无效");
        }
        if (4 != sESeal.geteSealInfo().getHeader().getVersion().getValue().intValue()) {
            System.out.println("\n********************** 电子印章数据版本号不是4,验签逻辑可能不兼容 *************************\n");
        }
        X509Certificate x509Certificate = (X509Certificate) new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory().engineGenerateCertificate(sESeal.getCert().getOctetStream());
        if (!verifySignatureData(sESeal.getSignAlgID().toString(), x509Certificate, sESeal.geteSealInfo().getEncoded("DER"), sESeal.getSignedValue().getBytes())) {
            throw new VerifyTerminateException("电子印章签名验签失败");
        }
        verifyCertificate(x509Certificate, certificate);
        long time = sESeal.geteSealInfo().getProperty().getValidStart().getDate().getTime();
        long time2 = sESeal.geteSealInfo().getProperty().getValidEnd().getDate().getTime();
        long time3 = sESeal.geteSealInfo().getProperty().getCreateDate().getDate().getTime();
        if (time3 < time || time3 > time2) {
            throw new VerifyTerminateException("电子印章制章时间不在电子印章有效期");
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis < time || currentTimeMillis > time2) {
            throw new VerifyTerminateException("电子印章不在有效期");
        }
    }

    private static void verifyCertificate(X509Certificate x509Certificate, Certificate certificate) throws Exception {
        x509Certificate.checkValidity();
        if (certificate != null) {
            x509Certificate.verify(certificate.getPublicKey());
        }
    }

    private static boolean verifySignatureData(String str, Certificate certificate, byte[] bArr, byte[] bArr2) throws Exception {
        if (!GMObjectIdentifiers.sm2sign_with_sm3.toString().equals(str)) {
            throw new VerifyTerminateException("签名算法标识不匹配");
        }
        java.security.Signature signature = java.security.Signature.getInstance("SM3WithSM2", (Provider) new BouncyCastleProvider());
        signature.initVerify(certificate);
        signature.update(bArr);
        return signature.verify(bArr2);
    }

    private static void verifyReferences(References references, ZipFile zipFile) throws Exception {
        for (Reference reference : references.getReferences()) {
            String loc = reference.getFileRef().getLoc();
            if (!Arrays.equals(new SM3.Digest().digest(zipFile.getBytes(formatPath(loc))), reference.getCheckValue())) {
                throw new VerifyTerminateException("验签失败,文件内容被篡改,节点:" + loc);
            }
        }
    }

    private static <R> R getXmlObj(String str, ZipFile zipFile, Function<Element, R> function) throws Exception {
        return function.apply(new SAXReader().read(zipFile.getInputStream(formatPath(str))).getRootElement());
    }

    private static String formatPath(String str) {
        return str.startsWith("/") ? str.substring(1) : str;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
