package z1.pdf.verify;

import com.itextpdf.text.pdf.AcroFields;
import com.itextpdf.text.pdf.PdfReader;
import com.itextpdf.text.pdf.security.PdfPKCS7;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.concurrent.TimeUnit;
import javax.naming.AuthenticationException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.HttpUrl;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import z1.pdf.verify.domain.RevocationInfo;
import z1.pdf.verify.exception.PdfVerifyTerminateException;

/* loaded from: input_file:z1/pdf/verify/PdfVerifyUtils.class */
public class PdfVerifyUtils {
    static final TrustManager[] trustAllCerts;

    public void verify(byte[] bArr) throws Exception {
        if (bArr == null) {
            throw new PdfVerifyTerminateException("参数不能为空");
        }
        AcroFields acroFields = new PdfReader(bArr).getAcroFields();
        ArrayList<String> signatureNames = acroFields.getSignatureNames();
        if (signatureNames.isEmpty()) {
            throw new PdfVerifyTerminateException("未找到PDF中的签章信息");
        }
        for (String str : signatureNames) {
            PdfPKCS7 verifySignature = acroFields.verifySignature(str);
            if (!acroFields.signatureCoversWholeDocument(str)) {
                throw new PdfVerifyTerminateException("签名未覆盖文档所有内容,可能被篡改");
            }
            System.out.println(verifySignature.getSignDate().getTime().getTime());
            System.out.println(verifySignature.getSigningCertificate().getSubjectDN().toString());
            System.out.println(verifySignature.getSigningCertificate().getIssuerDN().toString());
            System.out.println(verifySignature.getSigningCertificate().getNotBefore().getTime());
            System.out.println(verifySignature.getSigningCertificate().getNotAfter().getTime());
            if (verifySignature.getSignDate().getTime().getTime() < verifySignature.getSigningCertificate().getNotBefore().getTime()) {
                throw new PdfVerifyTerminateException("签章时间早于签章证书有效起始时间");
            }
            if (verifySignature.getSignDate().getTime().getTime() > verifySignature.getSigningCertificate().getNotAfter().getTime()) {
                throw new PdfVerifyTerminateException("签章时间超过签章证书有效截止时间");
            }
            if (!verifySignature.verify()) {
                throw new PdfVerifyTerminateException("签名验证无效");
            }
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new FileInputStream("/Users/zlinfo/work/code/taxware/taxware-z1/z1-pdf-verify/src/main/resources/cert/szca.cer"));
            for (Certificate certificate : verifySignature.getCertificates()) {
                doVerifyAndReturnRevocationIfno((X509Certificate) certificate, x509Certificate);
            }
            try {
                verifySignature.getSigningCertificate().checkValidity();
            } catch (CertificateExpiredException e) {
                System.out.println("证书过期");
            } catch (CertificateNotYetValidException e2) {
                System.out.println("证书未到起始有效期");
            }
            if ((verifySignature.getTimeStampToken() != null) && !verifySignature.verifyTimestampImprint()) {
                throw new PdfVerifyTerminateException("时间错证书无效");
            }
        }
    }

    public static void doVerifyAndReturnRevocationIfno(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws Exception {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException e) {
            System.out.println("[" + x509Certificate.getSubjectDN().toString() + "]证书过期");
        }
        if (x509Certificate2 != null) {
            x509Certificate.verify(x509Certificate2.getPublicKey());
        }
        verifyKeyUsage(x509Certificate);
    }

    static RevocationInfo getRevocationInfo(X509Certificate x509Certificate) throws Exception {
        try {
            X509CRL crlObj = getCrlObj(x509Certificate);
            if (crlObj == null) {
                System.out.println("未能解析到CRL对象信息");
                return null;
            }
            X509CRLEntry revokedCertificate = crlObj.getRevokedCertificate(x509Certificate.getSerialNumber());
            if (revokedCertificate == null) {
                return null;
            }
            RevocationInfo revocationInfo = new RevocationInfo();
            revocationInfo.setRevocationDate(revokedCertificate.getRevocationDate());
            revocationInfo.setRevocationReson(revokedCertificate.getRevocationReason().name());
            return revocationInfo;
        } catch (Exception e) {
            e.printStackTrace();
            throw new PdfVerifyTerminateException("获取证书吊销信息异常:" + e.getMessage());
        }
    }

    private static X509CRL getCrlObj(X509Certificate x509Certificate) throws Exception {
        byte[] extensionValue = x509Certificate.getExtensionValue("2.5.29.31");
        if (extensionValue == null) {
            System.out.println("证书文件不存在CRL分发点信息");
            return null;
        }
        DLSequence readObject = new ASN1InputStream(new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject().getOctets()).readObject();
        ArrayList<String> arrayList = new ArrayList();
        for (int i = 0; i < readObject.size(); i++) {
            ASN1Encodable objectAt = readObject.getObjectAt(i);
            while (!(objectAt instanceof DEROctetString)) {
                if ((objectAt instanceof ASN1Sequence) && ((ASN1Sequence) objectAt).size() > 0) {
                    objectAt = ((ASN1Sequence) objectAt).getObjectAt(0);
                }
                if (objectAt instanceof ASN1TaggedObject) {
                    objectAt = ((ASN1TaggedObject) objectAt).getObject();
                }
            }
            String str = new String(((DEROctetString) objectAt).getOctets());
            System.out.println(str);
            arrayList.add(str);
        }
        X509CRL x509crl = null;
        for (String str2 : arrayList) {
            if (str2.startsWith("http")) {
                x509crl = getCrlByHttp(str2);
            } else if (str2.startsWith("ldap://")) {
                x509crl = getCrlByLdap(str2);
            }
            if (x509crl != null) {
                break;
            }
        }
        return x509crl;
    }

    private static X509CRL getCrlByHttp(String str) throws Exception {
        ByteArrayInputStream byteArrayInputStream = null;
        X509CRL x509crl = null;
        try {
            try {
                byteArrayInputStream = new ByteArrayInputStream(httpGet(str));
                x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl;
            } catch (Exception e) {
                e.printStackTrace();
                X509CRL x509crl2 = x509crl;
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl2;
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                byteArrayInputStream.close();
            }
            throw th;
        }
    }

    private static X509CRL getCrlByLdap(String str) throws Exception {
        if (str == null && "".equals(str)) {
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = null;
        X509CRL x509crl = null;
        try {
            try {
                LdapContext ldapConnect = ldapConnect(str.replace("ldap://", "LDAP://"));
                byte[] bArr = null;
                if (ldapConnect == null) {
                    if (0 != 0) {
                        byteArrayInputStream.close();
                    }
                    return null;
                }
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(2);
                searchControls.setReturningAttributes(new String[]{"certificateRevocationList;binary"});
                NamingEnumeration search = ldapConnect.search("", "objectClass=cRLDistributionPoint".toString(), searchControls);
                while (search.hasMore() && bArr == null) {
                    NamingEnumeration all = ((SearchResult) search.next()).getAttributes().getAll();
                    if (all.hasMore()) {
                        bArr = (byte[]) ((Attribute) all.next()).get();
                    }
                }
                byteArrayInputStream = new ByteArrayInputStream(bArr);
                x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl;
            } catch (Exception e) {
                e.printStackTrace();
                X509CRL x509crl2 = x509crl;
                if (byteArrayInputStream != null) {
                    byteArrayInputStream.close();
                }
                return x509crl2;
            }
        } catch (Throwable th) {
            if (byteArrayInputStream != null) {
                byteArrayInputStream.close();
            }
            throw th;
        }
    }

    private static LdapContext ldapConnect(String str) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.security.authentication", "none");
        hashtable.put("java.naming.provider.url", str);
        hashtable.put("java.naming.security.principal", "");
        hashtable.put("java.naming.security.credentials", "");
        hashtable.put("java.naming.batchsize", "1000");
        hashtable.put("com.sun.jndi.ldap.connect.timeout", "5000");
        InitialLdapContext initialLdapContext = null;
        try {
            initialLdapContext = new InitialLdapContext(hashtable, (Control[]) null);
            System.out.println("ldap connect success");
        } catch (AuthenticationException e) {
            System.out.println("ldap认证失败");
        } catch (NamingException e2) {
            System.out.println("ldap参数有误导致连接失败");
        }
        return initialLdapContext;
    }

    private static byte[] httpGet(String str) throws Exception {
        MediaType.parse("application/json; charset=utf-8");
        Response execute = new OkHttpClient().newBuilder().connectTimeout(10L, TimeUnit.SECONDS).readTimeout(10L, TimeUnit.SECONDS).writeTimeout(10L, TimeUnit.SECONDS).sslSocketFactory(createSSLSocketFactory()).hostnameVerifier(new HostnameVerifier() { // from class: z1.pdf.verify.PdfVerifyUtils.1
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str2, SSLSession sSLSession) {
                return true;
            }
        }).build().newCall(new Request.Builder().get().url(HttpUrl.parse(str).newBuilder().build()).build()).execute();
        byte[] bytes = execute.body().bytes();
        if (execute.isSuccessful()) {
            return bytes;
        }
        throw new Exception("http请求失败,Url: " + str + "状态码: " + execute.code() + ", 请求结果: " + bytes);
    }

    private static SSLSocketFactory createSSLSocketFactory() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(null, trustAllCerts, new SecureRandom());
        return sSLContext.getSocketFactory();
    }

    private static void verifyKeyUsage(X509Certificate x509Certificate) throws PdfVerifyTerminateException {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (!keyUsage[0]) {
            throw new PdfVerifyTerminateException("密钥用法验证无效:digital_signature");
        }
        if (!keyUsage[1]) {
            throw new PdfVerifyTerminateException("密钥用法验证无效:non_repudiation");
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
        trustAllCerts = new TrustManager[]{new X509TrustManager() { // from class: z1.pdf.verify.PdfVerifyUtils.2
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        }};
    }
}
