package com.xforceplus.taxware.architecture.g1.ofd;

import com.xforceplus.taxware.architecture.g1.endecode.model.ZipFile;
import com.xforceplus.taxware.architecture.g1.ofd.config.OfdVerifyConfig;
import com.xforceplus.taxware.architecture.g1.ofd.exception.VerifyTerminateException;
import com.xforceplus.taxware.architecture.g1.ofd.model.RevocationInfo;
import com.xforceplus.taxware.architecture.g1.ofd.model.basicStructure.ofd.OFD;
import com.xforceplus.taxware.architecture.g1.ofd.model.basicType.ST_Loc;
import com.xforceplus.taxware.architecture.g1.ofd.model.ses.v4.SES_ESPropertyInfo;
import com.xforceplus.taxware.architecture.g1.ofd.model.ses.v4.SES_Signature;
import com.xforceplus.taxware.architecture.g1.ofd.model.ses.v4.SESeal;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.Signature;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.Signatures;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.range.Reference;
import com.xforceplus.taxware.architecture.g1.ofd.model.signatures.range.References;
import java.io.ByteArrayInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.security.Provider;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Iterator;
import java.util.function.Function;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.gm.GMObjectIdentifiers;
import org.bouncycastle.jcajce.provider.digest.SM3;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.dom4j.DocumentException;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;

/* loaded from: input_file:com/xforceplus/taxware/architecture/g1/ofd/OFDVerifyUtil.class */
public class OFDVerifyUtil {
    public static void doInvoiceOfdVerify(InputStream inputStream, String str, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        if ((null == str || "".equals(str)) && ofdVerifyConfig.isVerifyRootCa()) {
            throw new VerifyTerminateException("CA证书Base64信息不能为空");
        }
        doInvoiceOfdVerify(inputStream, new ByteArrayInputStream(Base64.getDecoder().decode(str)), ofdVerifyConfig);
    }

    public static void doInvoiceOfdVerify(InputStream inputStream, InputStream inputStream2, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        if (null == inputStream || (null == inputStream2 && ofdVerifyConfig.isVerifyRootCa())) {
            throw new VerifyTerminateException("文件流不能为空");
        }
        ZipFile zipFile = new ZipFile(inputStream);
        ST_Loc signatures = ((OFD) getXmlObj("OFD.xml", zipFile, OFD::new)).getDocBody().getSignatures();
        if (signatures == null) {
            throw new VerifyTerminateException("文件不存在签名信息");
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
            X509Certificate x509Certificate = null;
            if (ofdVerifyConfig.isVerifyRootCa()) {
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream2);
            }
            Iterator<Signature> it = ((Signatures) getXmlObj(signatures.getLoc(), zipFile, Signatures::new)).getSignatures().iterator();
            while (it.hasNext()) {
                com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature signature = (com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature) getXmlObj(it.next().getBaseLoc().getLoc(), zipFile, com.xforceplus.taxware.architecture.g1.ofd.model.signatures.sig.Signature::new);
                verifyReferences(signature.getSignedInfo().getReferences(), zipFile);
                verifySESealSignature(SES_Signature.getInstance(zipFile.getBytes(formatPath(signature.getSignedValue().getLoc()))), zipFile, x509Certificate, ofdVerifyConfig);
            }
        } catch (FileNotFoundException | DocumentException e) {
            throw new Exception("错误OFD结构和文件格式", e);
        }
    }

    private static void verifySESealSignature(SES_Signature sES_Signature, ZipFile zipFile, X509Certificate x509Certificate, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        X509Certificate x509Certificate2 = (X509Certificate) new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory().engineGenerateCertificate(sES_Signature.getCert().getOctetStream());
        if (!verifySignatureData(sES_Signature.getSignatureAlgID().toString(), x509Certificate2, sES_Signature.getToSign().getEncoded("DER"), sES_Signature.getSignature().getBytes())) {
            throw new VerifyTerminateException("签章数据验签失败");
        }
        SES_ESPropertyInfo property = sES_Signature.getToSign().getEseal().geteSealInfo().getProperty();
        boolean z = false;
        if (property.getCertListType().getValue().intValue() == 1) {
            Iterator<ASN1OctetString> it = property.getCertList().getCerts().iterator();
            while (it.hasNext()) {
                if (Arrays.equals(sES_Signature.getCert().getOctets(), it.next().getOctets())) {
                    z = true;
                }
            }
        } else if (property.getCertListType().getValue().intValue() == 2) {
            byte[] digest = new SM3.Digest().digest(sES_Signature.getCert().getOctets());
            Iterator<ASN1OctetString> it2 = property.getCertList().getCerts().iterator();
            while (it2.hasNext()) {
                if (Arrays.equals(digest, it2.next().getOctets())) {
                    z = true;
                }
            }
        }
        if (!z) {
            throw new VerifyTerminateException("签章者证书不在电子印章证书列表");
        }
        verifySESeal(sES_Signature, x509Certificate, ofdVerifyConfig);
        RevocationInfo doVerifyAndReturnRevocationInfo = CertVerifyUtil.doVerifyAndReturnRevocationInfo(x509Certificate2, x509Certificate, ofdVerifyConfig);
        long time = sES_Signature.getToSign().getTimeInfo().getDate().getTime();
        if (doVerifyAndReturnRevocationInfo != null && time > doVerifyAndReturnRevocationInfo.getRevocationDate().getTime()) {
            throw new VerifyTerminateException("签章者证书在签章时间处于失效状态,失效原因:" + doVerifyAndReturnRevocationInfo.getRevocationReson());
        }
        long time2 = x509Certificate2.getNotBefore().getTime();
        long time3 = x509Certificate2.getNotAfter().getTime();
        if (time < time2 || time > time3) {
            throw new VerifyTerminateException("签章时间不在证书有效期");
        }
        if (!Arrays.equals(new SM3.Digest().digest(zipFile.getBytes(formatPath(sES_Signature.getToSign().getPropertyInfo().getString()))), sES_Signature.getToSign().getDataHash().getBytes())) {
            throw new VerifyTerminateException("签章数据属性信息验签失败");
        }
        if (sES_Signature.getTimeStamp() == null) {
        }
    }

    private static void verifySESeal(SES_Signature sES_Signature, X509Certificate x509Certificate, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        SESeal eseal = sES_Signature.getToSign().getEseal();
        if (!"ES".equals(eseal.geteSealInfo().getHeader().getId().getString())) {
            throw new VerifyTerminateException("电子印章数据标识无效");
        }
        if (4 != eseal.geteSealInfo().getHeader().getVersion().getValue().intValue()) {
            System.out.println("\n********************** 电子印章数据版本号不是4,验签逻辑可能不兼容 *************************\n");
        }
        X509Certificate x509Certificate2 = (X509Certificate) new org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory().engineGenerateCertificate(eseal.getCert().getOctetStream());
        if (!verifySignatureData(eseal.getSignAlgID().toString(), x509Certificate2, eseal.geteSealInfo().getEncoded("DER"), eseal.getSignedValue().getBytes())) {
            throw new VerifyTerminateException("电子印章签名验签失败");
        }
        RevocationInfo doVerifyAndReturnRevocationInfo = CertVerifyUtil.doVerifyAndReturnRevocationInfo(x509Certificate2, x509Certificate, ofdVerifyConfig);
        long time = sES_Signature.getToSign().getTimeInfo().getDate().getTime();
        if (doVerifyAndReturnRevocationInfo != null && time > doVerifyAndReturnRevocationInfo.getRevocationDate().getTime()) {
            throw new VerifyTerminateException("制章者证书在签章时间处于失效状态,失效原因:" + doVerifyAndReturnRevocationInfo.getRevocationReson());
        }
        if (time > x509Certificate2.getNotAfter().getTime()) {
            throw new VerifyTerminateException("制章者证书在签章时间已过期");
        }
        long time2 = eseal.geteSealInfo().getProperty().getValidStart().getDate().getTime();
        long time3 = eseal.geteSealInfo().getProperty().getValidEnd().getDate().getTime();
        long time4 = eseal.geteSealInfo().getProperty().getCreateDate().getDate().getTime();
        if (time4 < time2 || time4 > time3) {
            throw new VerifyTerminateException("电子印章制章时间不在电子印章有效期");
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis < time2 || currentTimeMillis > time3) {
            throw new VerifyTerminateException("电子印章不在有效期");
        }
    }

    private static boolean verifySignatureData(String str, Certificate certificate, byte[] bArr, byte[] bArr2) throws Exception {
        if (!GMObjectIdentifiers.sm2sign_with_sm3.toString().equals(str)) {
            throw new VerifyTerminateException("签名算法标识不匹配");
        }
        byte[] correctTaxSignatureBytes = correctTaxSignatureBytes(bArr2);
        java.security.Signature signature = java.security.Signature.getInstance("SM3WithSM2", (Provider) new BouncyCastleProvider());
        signature.initVerify(certificate);
        signature.update(bArr);
        return signature.verify(correctTaxSignatureBytes);
    }

    private static byte[] correctTaxSignatureBytes(byte[] bArr) {
        if (bArr == null) {
            return bArr;
        }
        try {
            if (bArr.length < 2) {
                return bArr;
            }
            byte b = bArr[0];
            if (((b & 32) != 0) && bArr[1] == bArr.length - 2) {
                boolean z = false;
                byte[] bArr2 = new byte[bArr[3] + 2];
                System.arraycopy(bArr, 2, bArr2, 0, bArr[3] + 2);
                byte[] correctBigIntgerBytes = correctBigIntgerBytes(bArr2);
                if (correctBigIntgerBytes.length != bArr[3] + 2) {
                    z = true;
                }
                int i = 4 + bArr[3];
                byte[] bArr3 = new byte[bArr[i + 1] + 2];
                System.arraycopy(bArr, i, bArr3, 0, bArr[i + 1] + 2);
                byte[] correctBigIntgerBytes2 = correctBigIntgerBytes(bArr3);
                if (correctBigIntgerBytes2.length != bArr[i + 1] + 2) {
                    z = true;
                }
                if (!z) {
                    return bArr;
                }
                byte[] bArr4 = new byte[correctBigIntgerBytes.length + correctBigIntgerBytes2.length + 2];
                bArr4[0] = b;
                bArr4[1] = (byte) (bArr4.length - 2);
                System.arraycopy(correctBigIntgerBytes, 0, bArr4, 2, correctBigIntgerBytes.length);
                System.arraycopy(correctBigIntgerBytes2, 0, bArr4, correctBigIntgerBytes.length + 2, correctBigIntgerBytes2.length);
                return bArr4;
            }
            return bArr;
        } catch (Exception e) {
            e.printStackTrace();
            return bArr;
        }
    }

    private static byte[] correctBigIntgerBytes(byte[] bArr) {
        if (bArr[0] != 2 || bArr[1] > bArr.length - 2) {
            return bArr;
        }
        if (bArr[2] != (bArr[3] >> 7)) {
            return bArr;
        }
        byte[] bArr2 = new byte[bArr.length - 1];
        System.arraycopy(bArr, 0, bArr2, 0, 2);
        System.arraycopy(bArr, 3, bArr2, 2, bArr2[1] - 1);
        bArr2[1] = (byte) (bArr2[1] - 1);
        return bArr2;
    }

    private static void verifyReferences(References references, ZipFile zipFile) throws Exception {
        for (Reference reference : references.getReferences()) {
            String loc = reference.getFileRef().getLoc();
            if (!Arrays.equals(new SM3.Digest().digest(zipFile.getBytes(formatPath(loc))), reference.getCheckValue())) {
                throw new VerifyTerminateException("文件内容被篡改,节点:" + loc);
            }
        }
    }

    private static <R> R getXmlObj(String str, ZipFile zipFile, Function<Element, R> function) throws Exception {
        return function.apply(new SAXReader().read(zipFile.getInputStream(formatPath(str))).getRootElement());
    }

    private static String formatPath(String str) {
        return str.startsWith("/") ? str.substring(1) : str;
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
