package cn.topca.api.cert;

import cn.tca.TopBasicCrypto.asn1.ASN1InputStream;
import cn.tca.TopBasicCrypto.asn1.ASN1ObjectIdentifier;
import cn.tca.TopBasicCrypto.asn1.ASN1Sequence;
import cn.tca.TopBasicCrypto.asn1.x509.CRLDistPoint;
import cn.tca.TopBasicCrypto.asn1.x509.DistributionPoint;
import cn.tca.TopBasicCrypto.asn1.x509.DistributionPointName;
import cn.tca.TopBasicCrypto.asn1.x509.GeneralName;
import cn.tca.TopBasicCrypto.asn1.x509.GeneralNames;
import cn.tca.TopBasicCrypto.cert.X509CertificateHolder;
import cn.tca.TopBasicCrypto.cms.CMSException;
import cn.tca.TopBasicCrypto.operator.OperatorCreationException;
import cn.topca.core.ext.bc.cms.CMSAlgorithm;
import cn.topca.core.ext.bc.cms.CMSOperatorUtils;
import cn.topca.core.ext.bc.cms.SignerInfoGenerator;
import cn.topca.crypto.Cipher;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAKey;
import java.security.interfaces.RSAKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.interfaces.DHKey;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:cn/topca/api/cert/Certificate.class */
public class Certificate {
    private X509Certificate cert;
    private Provider _provider = null;
    private static final Map<String, String> _extendedKeyUsageMap = new HashMap();
    private static KeyStoreMgr keyMgr = KeyStoreMgr.getInstance();
    private static VerifierMgr verMgr = VerifierMgr.getInstance();
    private static LicenseMgr licMgr = LicenseMgr.getInstance();

    public Certificate(String str) throws CertApiException {
        init(TCAUtil.decode(str.replaceAll("-----BEGIN CERTIFICATE-----", "").replaceAll("-----END CERTIFICATE-----", "").replaceAll("\r", "").replaceAll("\n", "")));
    }

    public Certificate(byte[] bArr) throws CertApiException {
        init(bArr);
    }

    private void init(byte[] bArr) throws CertApiException {
        this.cert = TCAUtil.convBin2Cert(bArr);
        if (this.cert.getPublicKey().getAlgorithm().contains("RSA")) {
            this._provider = TCAUtil.getBcProvider();
        } else {
            this._provider = TCAUtil.getSm2Provider();
        }
        if (!licMgr.certWithLicense(this.cert)) {
            throw new CertApiException(TCAErrCode.ERR_CERT_UNLIC);
        }
    }

    public String serialNumber() {
        return Hex.encodeHexString(this.cert.getSerialNumber().toByteArray()).toUpperCase();
    }

    public String subject() {
        return this.cert.getSubjectX500Principal().toString();
    }

    public String issuer() {
        return this.cert.getIssuerX500Principal().toString();
    }

    public Date notBefore() {
        return this.cert.getNotBefore();
    }

    public Date notAfter() {
        return this.cert.getNotAfter();
    }

    public String[] keyUsage() {
        int doKeyUsage = doKeyUsage();
        if (doKeyUsage == 0) {
            return new String[0];
        }
        ArrayList arrayList = new ArrayList();
        if (0 != (doKeyUsage & TCA.digitalSignature)) {
            arrayList.add("digitalSignature");
        }
        if (0 != (doKeyUsage & 64)) {
            arrayList.add("nonRepudiation");
        }
        if (0 != (doKeyUsage & 32)) {
            arrayList.add("keyEncipherment");
        }
        if (0 != (doKeyUsage & 16)) {
            arrayList.add("dataEncipherment");
        }
        if (0 != (doKeyUsage & 8)) {
            arrayList.add("keyAgreement");
        }
        if (0 != (doKeyUsage & 4)) {
            arrayList.add("keyCertSign");
        }
        if (0 != (doKeyUsage & 2)) {
            arrayList.add("cRLSign");
        }
        if (0 != (doKeyUsage & 1)) {
            arrayList.add("encipherOnly");
        }
        if (0 != (doKeyUsage & TCA.decipherOnly)) {
            arrayList.add("decipherOnly");
        }
        if (0 != (doKeyUsage & 64)) {
            arrayList.add("contentCommitment");
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    public String[] extededKeyUsage() throws CertApiException {
        try {
            List<String> extendedKeyUsage = this.cert.getExtendedKeyUsage();
            if (extendedKeyUsage == null || extendedKeyUsage.size() == 0) {
                return new String[0];
            }
            ArrayList arrayList = new ArrayList();
            for (String str : extendedKeyUsage) {
                if (_extendedKeyUsageMap.get(str) != null) {
                    arrayList.add(_extendedKeyUsageMap.get(str));
                }
            }
            return (String[]) arrayList.toArray(new String[arrayList.size()]);
        } catch (CertificateParsingException e) {
            throw new CertApiException(TCAErrCode.ERR_CERT_PARSINGERR, e);
        }
    }

    public String crlUrl() throws CertApiException {
        String[] crlUrls = crlUrls();
        if (crlUrls.length == 0) {
            return null;
        }
        return crlUrls[0];
    }

    public boolean verify() throws CertApiException {
        return verify(new Date());
    }

    public boolean verify(Date date) throws CertApiException {
        return verMgr.verify(this.cert, date);
    }

    public String signAlg() {
        return this.cert.getSigAlgName();
    }

    public String publicKeyAlg() {
        return this.cert.getPublicKey().getAlgorithm();
    }

    public int publicKeySize() {
        PublicKey publicKey = this.cert.getPublicKey();
        return publicKey instanceof RSAKey ? ((RSAKey) publicKey).getModulus().bitLength() : publicKey instanceof DSAKey ? ((DSAKey) publicKey).getParams().getP().bitLength() : publicKey instanceof DHKey ? ((DHKey) publicKey).getParams().getP().bitLength() : TCA.SM2.equals(publicKey.getAlgorithm()) ? 256 : -1;
    }

    public String signLogondata(String str) throws CertApiException {
        try {
            return TCAUtil.encode(signP7(("LOGONDATA:" + str).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            throw new CertApiException(TCAErrCode.ERR_STR_ENCODING, e);
        }
    }

    public byte[] signP7(byte[] bArr) throws CertApiException {
        return signP7(bArr, true);
    }

    public byte[] signP7(byte[] bArr, boolean z) throws CertApiException {
        return signP7(bArr, z, publicKeyAlg().equalsIgnoreCase("RSA") ? TCA.SHA1 : TCA.SM3);
    }

    public byte[] signP7(byte[] bArr, boolean z, String str) throws CertApiException {
        checkHashAlg(str);
        boolean equalsIgnoreCase = publicKeyAlg().equalsIgnoreCase(TCA.SM2);
        if (!ConfigMgr.getInstance().getBoolConfig("signQ7")) {
            equalsIgnoreCase = false;
        }
        return doSign(bArr, str, KeyStoreMgr.getInstance().getPriKeyByCert(this.cert), this._provider, true, z, equalsIgnoreCase);
    }

    public byte[] signRaw(byte[] bArr) throws CertApiException {
        return signRaw(bArr, publicKeyAlg().equalsIgnoreCase("RSA") ? TCA.SHA1 : TCA.SM3);
    }

    public byte[] signRaw(byte[] bArr, String str) throws CertApiException {
        checkHashAlg(str);
        PrivateKey priKeyByCert = keyMgr.getPriKeyByCert(this.cert);
        try {
            Signature signature = Signature.getInstance(str + "With" + publicKeyAlg(), this._provider);
            signature.initSign(priKeyByCert);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException e) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_KEY, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e2);
        } catch (SignatureException e3) {
            throw new CertApiException(TCAErrCode.ERR_CERT_SIGNATRUE, e3);
        }
    }

    public boolean verifyRaw(byte[] bArr, byte[] bArr2) throws CertApiException {
        return verifyRaw(bArr, bArr2, publicKeyAlg().equalsIgnoreCase("RSA") ? TCA.SHA1 : TCA.SM3);
    }

    public boolean verifyRaw(byte[] bArr, byte[] bArr2, String str) throws CertApiException {
        checkHashAlg(str);
        PublicKey publicKey = this.cert.getPublicKey();
        try {
            Signature signature = Signature.getInstance(str + "With" + publicKeyAlg(), this._provider);
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (InvalidKeyException e) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_KEY, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e2);
        } catch (SignatureException e3) {
            throw new CertApiException(TCAErrCode.ERR_CERT_SIGNATRUE, e3);
        }
    }

    public byte[] encryptP7(byte[] bArr) throws CertApiException {
        return encryptP7(bArr, publicKeyAlg().equalsIgnoreCase(TCA.SM2) ? TCA.SM4 : "3DES");
    }

    public byte[] encryptP7(byte[] bArr, String str) throws CertApiException {
        if (str.equalsIgnoreCase(TCA.SM1)) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
        }
        try {
            return CMSOperatorUtils.generateEnvelopedData(bArr, this.cert, convSymmAlg(str), false).getEncoded();
        } catch (CMSException e) {
            throw new CertApiException(TCAErrCode.ERR_GENERATE_ENVELOPDATA, e);
        } catch (IOException e2) {
            throw new CertApiException(TCAErrCode.ERR_ENCODE, e2);
        } catch (CertificateEncodingException e3) {
            throw new CertApiException(TCAErrCode.ERR_CERT_ENCODING, e3);
        }
    }

    public byte[] encryptRaw(byte[] bArr) throws CertApiException {
        if (publicKeyAlg().equalsIgnoreCase("RSA") && bArr.length > (publicKeySize() / 8) - 11) {
            throw new CertApiException(TCAErrCode.ERR_PLAIN_RUNAWAY);
        }
        try {
            Cipher cipher = Cipher.getInstance(this.cert.getPublicKey().getAlgorithm(), this._provider);
            cipher.init(1, this.cert.getPublicKey());
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException e) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_KEY, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e2);
        } catch (BadPaddingException e3) {
            throw new CertApiException(TCAErrCode.ERR_BAD_PADDING, e3);
        } catch (IllegalBlockSizeException e4) {
            throw new CertApiException(TCAErrCode.ERR_ILLEGAL_BLOCK, e4);
        } catch (NoSuchPaddingException e5) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_PADDING, e5);
        }
    }

    public byte[] decryptRaw(byte[] bArr) throws CertApiException {
        PrivateKey priKeyByCert = keyMgr.getPriKeyByCert(this.cert);
        try {
            Cipher cipher = Cipher.getInstance(this.cert.getPublicKey().getAlgorithm(), this._provider);
            cipher.init(2, priKeyByCert);
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException e) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_KEY, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e2);
        } catch (BadPaddingException e3) {
            throw new CertApiException(TCAErrCode.ERR_BAD_PADDING, e3);
        } catch (IllegalBlockSizeException e4) {
            throw new CertApiException(TCAErrCode.ERR_ILLEGAL_BLOCK, e4);
        } catch (NoSuchPaddingException e5) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_PADDING, e5);
        }
    }

    public String toBase64() throws CertApiException {
        try {
            return TCAUtil.encode(this.cert.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new CertApiException(TCAErrCode.ERR_ENCODECERT, e);
        }
    }

    private byte[] doSign(byte[] bArr, String str, PrivateKey privateKey, Provider provider, boolean z, boolean z2, boolean z3) throws CertApiException {
        ArrayList arrayList;
        try {
            SignerInfoGenerator genSignerInfoGenerator = TCAUtil.genSignerInfoGenerator(this.cert, privateKey, str, z3, provider);
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(genSignerInfoGenerator);
            if (z) {
                arrayList = new ArrayList();
                arrayList.add(new X509CertificateHolder(this.cert.getEncoded()));
            } else {
                arrayList = null;
            }
            return TCAUtil.doGenSignedData(bArr, arrayList2, arrayList, null, z2).getContentInfo().getEncoded("DER");
        } catch (IOException e) {
            throw new CertApiException(TCAErrCode.ERR_STREAM, e);
        } catch (OperatorCreationException e2) {
            throw new CertApiException(TCAErrCode.ERR_OPERATORCREATION, e2);
        } catch (CertificateEncodingException e3) {
            throw new CertApiException(TCAErrCode.ERR_CERT_ENCODING, e3);
        } catch (CMSException e4) {
            throw new CertApiException(TCAErrCode.ERR_GENERATE_ENVELOPDATA, e4);
        }
    }

    private int doKeyUsage() {
        boolean[] keyUsage = this.cert.getKeyUsage();
        if (keyUsage == null) {
            return 0;
        }
        int i = 0;
        for (int i2 = 0; i2 < keyUsage.length; i2++) {
            if (keyUsage[i2]) {
                i |= 1 << i2;
            }
        }
        return i;
    }

    private String[] crlUrls() throws CertApiException {
        byte[] extensionValue = this.cert.getExtensionValue("2.5.29.31");
        if (extensionValue == null) {
            return new String[0];
        }
        try {
            CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(ASN1Sequence.getInstance(new ASN1InputStream(extensionValue).readObject().getOctets()));
            if (cRLDistPoint == null) {
                return null;
            }
            DistributionPoint[] distributionPoints = cRLDistPoint.getDistributionPoints();
            if (distributionPoints.length == 0) {
                return new String[0];
            }
            ArrayList arrayList = new ArrayList();
            for (DistributionPoint distributionPoint : distributionPoints) {
                DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
                if (distributionPoint2.getType() == 0) {
                    GeneralName[] names = GeneralNames.getInstance(distributionPoint2.getName()).getNames();
                    if (names.length == 0) {
                        return new String[0];
                    }
                    for (GeneralName generalName : names) {
                        if (generalName.getTagNo() == 6) {
                            arrayList.add(generalName.getName().toString());
                        }
                    }
                }
            }
            return (String[]) arrayList.toArray(new String[arrayList.size()]);
        } catch (IOException e) {
            throw new CertApiException(TCAErrCode.ERR_STREAM, e);
        }
    }

    private boolean checkHashAlg(String str) throws CertApiException {
        if (str.equalsIgnoreCase(TCA.SM3) && publicKeyAlg().equals("RSA")) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
        }
        if ((str.equalsIgnoreCase(TCA.SHA256) || str.equalsIgnoreCase(TCA.SHA1)) && publicKeyAlg().equals(TCA.SM2)) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
        }
        if (str.equals(TCA.SHA256)) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
        }
        return true;
    }

    private ASN1ObjectIdentifier convSymmAlg(String str) throws CertApiException {
        if (str.equalsIgnoreCase(TCA.AES)) {
            return CMSAlgorithm.AES128_CBC;
        }
        if (str.equalsIgnoreCase(TCA.SM4)) {
            return CMSAlgorithm.SM4;
        }
        if (!str.equalsIgnoreCase(TCA.DES) && !str.equalsIgnoreCase("3DES")) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
        }
        return CMSAlgorithm.DES_EDE3_CBC;
    }

    static {
        _extendedKeyUsageMap.clear();
        _extendedKeyUsageMap.put(TCA.serverAuth, "serverAuth");
        _extendedKeyUsageMap.put(TCA.clientAuth, "clientAuth");
        _extendedKeyUsageMap.put(TCA.codeSigning, "codeSigning");
        _extendedKeyUsageMap.put(TCA.emailProtection, "emailProtection");
        _extendedKeyUsageMap.put(TCA.ipsecEndSystem, "ipsecEndSystem");
        _extendedKeyUsageMap.put(TCA.ipsecTunnel, "ipsecTunnel");
        _extendedKeyUsageMap.put(TCA.ipsecUser, "ipsecUser");
        _extendedKeyUsageMap.put(TCA.timeStamping, "timeStamping");
        _extendedKeyUsageMap.put(TCA.OCSPSigning, "OCSPSigning");
        _extendedKeyUsageMap.put(TCA.dvcs, "dvcs");
        _extendedKeyUsageMap.put(TCA.sbgpCertAAServerAuth, "sbgpCertAAServerAuth");
        _extendedKeyUsageMap.put(TCA.scvpResponder, "scvpResponder");
        _extendedKeyUsageMap.put(TCA.eapOverPPP, "eapOverPPP");
        _extendedKeyUsageMap.put(TCA.eapOverLAN, "eapOverLAN");
        _extendedKeyUsageMap.put(TCA.scvpServer, "scvpServer");
        _extendedKeyUsageMap.put(TCA.scvpClient, "scvpClient");
        _extendedKeyUsageMap.put(TCA.ipsecIKE, "ipsecIKE");
        _extendedKeyUsageMap.put(TCA.capwapAC, "capwapAC");
        _extendedKeyUsageMap.put(TCA.capwapWTP, "capwapWTP");
        _extendedKeyUsageMap.put(TCA.smartcardlogon, "smartcardlogon");
    }
}
