package com.xforceplus.taxware.architecture.g1.ofd;

import com.xforceplus.taxware.architecture.g1.ofd.config.OfdVerifyConfig;
import com.xforceplus.taxware.architecture.g1.ofd.exception.ErrorMsg;
import com.xforceplus.taxware.architecture.g1.ofd.exception.OfdVerifyTerminateException;
import com.xforceplus.taxware.architecture.g1.ofd.exception.VerifyTerminateException;
import com.xforceplus.taxware.architecture.g1.ofd.model.RevocationInfo;
import java.io.ByteArrayInputStream;
import java.security.SignatureException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.concurrent.TimeUnit;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import okhttp3.HttpUrl;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DLSequence;

/* loaded from: input_file:com/xforceplus/taxware/architecture/g1/ofd/CertVerifyUtil.class */
public class CertVerifyUtil {
    public static void doVerify(X509Certificate x509Certificate, X509Certificate x509Certificate2, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        RevocationInfo revocationInfo;
        x509Certificate.checkValidity();
        if (x509Certificate2 != null) {
            x509Certificate.verify(x509Certificate2.getPublicKey());
        }
        verifyKeyUsage(x509Certificate);
        if (ofdVerifyConfig.isVerifyCertRevokeStatus() && (revocationInfo = getRevocationInfo(x509Certificate)) != null) {
            throw new OfdVerifyTerminateException(ErrorMsg.CERT_REVOCATION.getCode(), ErrorMsg.CERT_REVOCATION.getMessage() + ",时间:" + revocationInfo.getRevocationDate().toString() + ",原因:" + revocationInfo.getRevocationReson());
        }
    }

    public static RevocationInfo doVerifyAndReturnRevocationInfo(X509Certificate x509Certificate, X509Certificate x509Certificate2, OfdVerifyConfig ofdVerifyConfig) throws Exception {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            System.out.println("[" + x509Certificate.getSubjectDN().toString() + "]证书过期");
        }
        if (x509Certificate2 != null) {
            try {
                x509Certificate.verify(x509Certificate2.getPublicKey());
            } catch (SignatureException e2) {
                throw new OfdVerifyTerminateException(ErrorMsg.ROOT_CERT_NOT_MATCH);
            }
        }
        verifyKeyUsage(x509Certificate);
        if (ofdVerifyConfig.isVerifyCertRevokeStatus()) {
            return getRevocationInfo(x509Certificate);
        }
        return null;
    }

    static boolean isRevoked(X509Certificate x509Certificate) throws Exception {
        try {
            X509CRL crlObj = getCrlObj(x509Certificate);
            if (crlObj == null) {
                return false;
            }
            boolean isRevoked = crlObj.isRevoked(x509Certificate);
            if (isRevoked) {
                System.out.println("证书被吊销");
            }
            return isRevoked;
        } catch (Exception e) {
            e.printStackTrace();
            throw new OfdVerifyTerminateException(ErrorMsg.ERROR_STATUS_REVOCATION.getCode(), ErrorMsg.ERROR_STATUS_REVOCATION.getMessage() + ":" + e.getMessage());
        }
    }

    static RevocationInfo getRevocationInfo(X509Certificate x509Certificate) throws Exception {
        try {
            X509CRL crlObj = getCrlObj(x509Certificate);
            if (crlObj == null) {
                System.out.println("未能解析到CRL对象信息");
                return null;
            }
            X509CRLEntry revokedCertificate = crlObj.getRevokedCertificate(x509Certificate.getSerialNumber());
            if (revokedCertificate == null) {
                return null;
            }
            RevocationInfo revocationInfo = new RevocationInfo();
            revocationInfo.setRevocationDate(revokedCertificate.getRevocationDate());
            revocationInfo.setRevocationReson(revokedCertificate.getRevocationReason().name());
            return revocationInfo;
        } catch (Exception e) {
            e.printStackTrace();
            throw new OfdVerifyTerminateException(ErrorMsg.ERROR_STATUS_REVOCATION.getCode(), ErrorMsg.ERROR_STATUS_REVOCATION.getMessage() + ":" + e.getMessage());
        }
    }

    private static void verifyKeyUsage(X509Certificate x509Certificate) throws VerifyTerminateException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (!keyUsage[0]) {
            throw new OfdVerifyTerminateException(ErrorMsg.INVALID_KEY_USAGE.getCode(), ErrorMsg.INVALID_KEY_USAGE.getMessage() + ":digital_signature");
        }
        if (!keyUsage[1]) {
            throw new OfdVerifyTerminateException(ErrorMsg.INVALID_KEY_USAGE.getCode(), ErrorMsg.INVALID_KEY_USAGE.getMessage() + ":non_repudiation");
        }
        if (!keyUsage[2]) {
            throw new OfdVerifyTerminateException(ErrorMsg.INVALID_KEY_USAGE.getCode(), ErrorMsg.INVALID_KEY_USAGE.getMessage() + ":key_encipherment");
        }
    }

    private static X509CRL getCrlObj(X509Certificate x509Certificate) throws Exception {
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.31");
        if (extensionValue == null) {
            System.out.println("证书文件不存在CRL分发点信息");
            return null;
        }
        DLSequence readObject = new ASN1InputStream(new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject().getOctets()).readObject();
        ArrayList<String> arrayList = new ArrayList();
        for (int i = 0; i < readObject.size(); i++) {
            ASN1Encodable objectAt = readObject.getObjectAt(i);
            while (!(objectAt instanceof DEROctetString)) {
                if ((objectAt instanceof ASN1Sequence) && ((ASN1Sequence) objectAt).size() > 0) {
                    objectAt = ((ASN1Sequence) objectAt).getObjectAt(0);
                }
                if (objectAt instanceof ASN1TaggedObject) {
                    objectAt = ((ASN1TaggedObject) objectAt).getObject();
                }
            }
            String str = new String(((DEROctetString) objectAt).getOctets());
            System.out.println(str);
            arrayList.add(str);
        }
        X509CRL x509crl = null;
        for (String str2 : arrayList) {
            if (str2.startsWith("http")) {
                x509crl = getCrlByHttp(str2);
            } else if (str2.startsWith("ldap://")) {
                x509crl = getCrlByLdap(str2);
            }
            if (x509crl != null) {
                break;
            }
        }
        return x509crl;
    }

    private static X509CRL getCrlByHttp(String str) throws Exception {
        ByteArrayInputStream byteArrayInputStream = null;
        X509CRL x509crl = null;
        try {
            try {
                byteArrayInputStream = new ByteArrayInputStream(httpGet(str));
                x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl;
            } catch (Exception e) {
                e.printStackTrace();
                X509CRL x509crl2 = x509crl;
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl2;
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                byteArrayInputStream.close();
            }
            throw th;
        }
    }

    private static X509CRL getCrlByLdap(String str) throws Exception {
        if (str == null && "".equals(str)) {
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = null;
        X509CRL x509crl = null;
        try {
            try {
                LdapContext ldapConnect = ldapConnect(str.replace("ldap://", "LDAP://"));
                byte[] bArr = null;
                if (ldapConnect == null) {
                    if (0 != 0) {
                        byteArrayInputStream.close();
                    }
                    return null;
                }
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(2);
                searchControls.setReturningAttributes(new String[]{"certificateRevocationList;binary"});
                NamingEnumeration search = ldapConnect.search("", "objectClass=cRLDistributionPoint".toString(), searchControls);
                while (search.hasMore() && bArr == null) {
                    NamingEnumeration all = ((SearchResult) search.next()).getAttributes().getAll();
                    if (all.hasMore()) {
                        bArr = (byte[]) ((Attribute) all.next()).get();
                    }
                }
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl;
            } catch (Exception e) {
                e.printStackTrace();
                X509CRL x509crl2 = x509crl;
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl2;
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                byteArrayInputStream.close();
            }
            throw th;
        }
    }

    private static String getSerialNumber(X509Certificate x509Certificate) {
        if (null == x509Certificate) {
            return null;
        }
        byte[] byteArray = x509Certificate.getSerialNumber().toByteArray();
        if (byteArray.length <= 0) {
            return null;
        }
        String str = new String();
        for (byte b : byteArray) {
            String hexString = Integer.toHexString(Byte.valueOf(b).intValue());
            if (hexString.length() == 8) {
                hexString = hexString.substring(6);
            } else if (1 == hexString.length()) {
                hexString = "0" + hexString;
            }
            str = str + hexString + " ";
        }
        return str;
    }

    private static LdapContext ldapConnect(String str) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.security.authentication", "none");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("java.naming.security.principal", "");
        hashtable.put("java.naming.security.credentials", "");
        hashtable.put("java.naming.batchsize", "1000");
        hashtable.put("com.sun.jndi.ldap.connect.timeout", "5000");
        InitialLdapContext initialLdapContext = null;
        try {
            initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
            System.out.println("ldap connect success");
        } catch (AuthenticationException e) {
            System.out.println("ldap认证失败");
        } catch (NamingException e2) {
            System.out.println("ldap参数有误导致连接失败");
        }
        return initialLdapContext;
    }

    private static byte[] httpGet(String str) throws Exception {
        MediaType.parse("application/json; charset=utf-8");
        Response execute = new OkHttpClient().newBuilder().connectTimeout(10L, TimeUnit.SECONDS).readTimeout(10L, TimeUnit.SECONDS).writeTimeout(10L, TimeUnit.SECONDS).build().newCall(new Request.Builder().get().url(HttpUrl.parse(str).newBuilder().build()).build()).execute();
        byte[] bytes = execute.body().bytes();
        if (execute.isSuccessful()) {
            return bytes;
        }
        throw new Exception("http请求失败,Url: " + str + "状态码: " + execute.code() + ", 请求结果: " + bytes);
    }
}
