package com.cfca.util.pki.api;

import com.cfca.util.pki.PKIException;
import com.cfca.util.pki.Parser;
import com.cfca.util.pki.cert.X509Cert;
import com.cfca.util.pki.cipher.JCrypto;
import com.cfca.util.pki.cipher.Session;
import com.cfca.util.pki.crl.X509CRL;
import com.cfca.util.pki.extension.CRLDistributionPointsExt;
import com.cfca.util.pki.pkcs.P7B;
import com.cfca.util.pki.pkcs.PKCS12;
import com.pingan.openbank.api.sdk.constant.ApiConstant;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.util.Hashtable;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

/* loaded from: input_file:com/cfca/util/pki/api/CertUtil.class */
public class CertUtil {
    public static X509Cert getCert(byte[] bArr, String str) throws PKIException {
        PKCS12 pkcs12 = new PKCS12();
        pkcs12.load(bArr);
        pkcs12.decrypt(str.toCharArray());
        return pkcs12.getCertificate();
    }

    public static X509Cert getCert(String str, String str2) throws PKIException {
        PKCS12 pkcs12 = new PKCS12();
        pkcs12.load(str);
        pkcs12.decrypt(str2.toCharArray());
        return pkcs12.getCertificate();
    }

    public static void changePfxPWD(String str, String str2, String str3, String str4) throws PKIException {
        PKCS12 pkcs12 = new PKCS12();
        pkcs12.load(str);
        pkcs12.decrypt(str2.toCharArray());
        pkcs12.generatePfxFile(pkcs12.getPrivateKey(), pkcs12.getCerts(), str4.toCharArray(), str3);
    }

    public static X509Cert generateCert(byte[] bArr) throws PKIException {
        return new X509Cert(bArr);
    }

    public static X509Cert generateCert(String str) throws PKIException {
        try {
            return new X509Cert(new FileInputStream(str));
        } catch (FileNotFoundException e) {
            throw new PKIException(CertAppKitException.API_CERT_NOT_FOUND_ERR, new StringBuffer("证书文件不存在 ").append(e.getMessage()).toString());
        }
    }

    public static X509Cert[] parseP7b(byte[] bArr) throws PKIException {
        return new P7B().parseP7b(bArr);
    }

    public static X509Cert[] parseP7b(String str) throws PKIException {
        return new P7B().parseP7b(str);
    }

    public static boolean verifyCert(X509Cert x509Cert, X509Cert[] x509CertArr, String str, Session session) throws PKIException {
        verifyCertDate(x509Cert);
        if (verifyCertSign(x509Cert, x509CertArr, session)) {
            return str != null ? verifyCertByCRLOutLine(x509Cert, str, x509CertArr, session) : verifyCertByCRLOnLine(x509Cert);
        }
        return false;
    }

    public static boolean verifyCertSign(X509Cert x509Cert, X509Cert[] x509CertArr, Session session) throws PKIException {
        if (x509CertArr.length < 1) {
            throw new PKIException(CertAppKitException.API_UNLL_CERT_PATH_ERR, CertAppKitException.API_UNLL_CERT_PATH_ERR_DES);
        }
        if (x509CertArr.length == 1) {
            return x509Cert.verify(x509CertArr[0].getPublicKey(), session);
        }
        verifyCertChain(x509CertArr, x509Cert.getIssuer(), session);
        return x509Cert.verify(x509CertArr[0].getPublicKey(), session);
    }

    public static boolean verifyCertDate(X509Cert x509Cert) throws PKIException {
        try {
            Parser.convertX509Cert(x509Cert).checkValidity();
            return true;
        } catch (CertificateExpiredException e) {
            throw new PKIException(CertAppKitException.API_EXPIRED_ERR, CertAppKitException.API_EXPIRED_ERR_DES);
        } catch (CertificateNotYetValidException e2) {
            throw new PKIException(CertAppKitException.API_CERT_NOT_YET_VALID_ERR, CertAppKitException.API_CERT_NOT_YET_VALID_ERR_DES);
        }
    }

    public static boolean verifyCertByCRLOutLine(X509Cert x509Cert, String str, X509Cert[] x509CertArr, Session session) throws PKIException {
        File file = new File(str);
        if (!file.isDirectory()) {
            try {
                X509CRL x509crl = new X509CRL(new FileInputStream(file));
                verifyCertChain(x509CertArr, x509crl.getIssuer(), session);
                if (x509crl.verify(x509CertArr[0].getPublicKey(), session)) {
                    return !x509crl.isRevoke(x509Cert);
                }
                throw new PKIException(CertAppKitException.API_VERIFY_CRL_SIGN_ERR, CertAppKitException.API_VERIFY_CRL_SIGN_ERR_DES);
            } catch (FileNotFoundException e) {
                throw new PKIException(CertAppKitException.API_CRL_NOT_FOUND_ERR, CertAppKitException.API_CRL_NOT_FOUND_ERR_DES, e);
            }
        }
        String distributionPointNameByFullName = x509Cert.getCRLDistributionPoints().getDistributionPoint(0).getDistributionPointNameByFullName(0);
        int indexOf = distributionPointNameByFullName.indexOf("CN=");
        int indexOf2 = distributionPointNameByFullName.indexOf(",");
        if (indexOf != -1 && indexOf2 != -1) {
            distributionPointNameByFullName = distributionPointNameByFullName.substring(indexOf + 3, indexOf2);
        }
        String issuer = x509Cert.getIssuer();
        int indexOf3 = issuer.indexOf("O=");
        int indexOf4 = issuer.indexOf(",");
        if (indexOf3 != -1 && indexOf4 != -1) {
            issuer = issuer.substring(indexOf3 + 2, indexOf4);
        }
        boolean z = false;
        try {
            FileInputStream fileInputStream = new FileInputStream(new StringBuffer(String.valueOf(str)).append(File.separator).append(issuer).append(File.separator).append(distributionPointNameByFullName).append(".crl").toString());
            X509CRL x509crl2 = new X509CRL(fileInputStream);
            try {
                fileInputStream.close();
                verifyCertChain(x509CertArr, x509crl2.getIssuer(), session);
                if (!x509crl2.verify(x509CertArr[0].getPublicKey(), session)) {
                    throw new PKIException(CertAppKitException.API_VERIFY_CRL_SIGN_ERR, CertAppKitException.API_VERIFY_CRL_SIGN_ERR_DES);
                }
                if (!x509crl2.isRevoke(x509Cert.getSerialNumber())) {
                    z = true;
                }
                return z;
            } catch (IOException e2) {
                throw new PKIException(CertAppKitException.API_READ_CRL_FILE_ERR, new StringBuffer("读CRL文件失败 ").append(e2.getMessage()).toString(), e2);
            }
        } catch (Exception e3) {
            throw new PKIException(CertAppKitException.API_READ_CRL_FILE_ERR, new StringBuffer("读CRL文件失败 ").append(e3.getMessage()).toString(), e3);
        }
    }

    public static boolean verifyCertByCRLOutLine(X509Cert x509Cert, byte[] bArr, X509Cert[] x509CertArr, Session session) throws PKIException {
        X509CRL x509crl = new X509CRL(bArr);
        verifyCertChain(x509CertArr, x509crl.getIssuer(), session);
        if (x509crl.verify(x509CertArr[0].getPublicKey(), session)) {
            return !x509crl.isRevoke(x509Cert);
        }
        throw new PKIException(CertAppKitException.API_VERIFY_CRL_SIGN_ERR, CertAppKitException.API_VERIFY_CRL_SIGN_ERR_DES);
    }

    public static boolean verifyCertByCRLOnLine(X509Cert x509Cert) throws PKIException {
        CRLDistributionPointsExt cRLDistributionPoints = x509Cert.getCRLDistributionPoints();
        int distributionPointCount = cRLDistributionPoints.getDistributionPointCount();
        String str = null;
        for (int i = 0; i < distributionPointCount; i++) {
            String distributionPointNameByFullName = cRLDistributionPoints.getDistributionPoint(i).getDistributionPointNameByFullName(0);
            if (distributionPointNameByFullName.indexOf("ldap://") != -1) {
                str = distributionPointNameByFullName;
            }
        }
        if (str == null) {
            throw new PKIException(CertAppKitException.API_UNLL_CRL_PATH_IN_CERT_ERR, CertAppKitException.API_UNLL_CRL_PATH_IN_CERT_ERR_DES);
        }
        String substring = str.substring(str.indexOf("ldap://") + 7, str.length());
        int indexOf = substring.indexOf(":");
        String substring2 = substring.substring(0, indexOf);
        String substring3 = substring.substring(indexOf + 1, substring.length());
        int indexOf2 = substring3.indexOf(ApiConstant.FORWARD_SLASH);
        String substring4 = substring3.substring(0, indexOf2);
        String substring5 = substring3.substring(indexOf2 + 1, substring3.length());
        try {
            return !getCRLFromLDAP(substring2, substring4, substring5.substring(0, substring5.indexOf("?")), substring5.substring(substring5.indexOf("=") + 1, substring5.indexOf(","))).isRevoke(x509Cert);
        } catch (Exception e) {
            throw new PKIException(CertAppKitException.API_CRL_DOWNLOAD_ERR, CertAppKitException.API_CRL_DOWNLOAD_ERR_DES, e);
        }
    }

    public static boolean verifyCertByCRLOnLineMirror(String str, String str2, X509Cert x509Cert) throws PKIException {
        CRLDistributionPointsExt cRLDistributionPoints = x509Cert.getCRLDistributionPoints();
        int distributionPointCount = cRLDistributionPoints.getDistributionPointCount();
        String str3 = null;
        for (int i = 0; i < distributionPointCount; i++) {
            String distributionPointNameByFullName = cRLDistributionPoints.getDistributionPoint(i).getDistributionPointNameByFullName(0);
            if (distributionPointNameByFullName.indexOf("ldap://") != -1) {
                str3 = distributionPointNameByFullName;
            }
        }
        if (str3 == null) {
            throw new PKIException(CertAppKitException.API_UNLL_CRL_PATH_IN_CERT_ERR, CertAppKitException.API_UNLL_CRL_PATH_IN_CERT_ERR_DES);
        }
        String substring = str3.substring(str3.indexOf("ldap://") + 7, str3.length());
        String substring2 = substring.substring(substring.indexOf(":") + 1, substring.length());
        String substring3 = substring2.substring(substring2.indexOf(ApiConstant.FORWARD_SLASH) + 1, substring2.length());
        try {
            return !getCRLFromLDAP(str, str2, substring3.substring(0, substring3.indexOf("?")), substring3.substring(substring3.indexOf("=") + 1, substring3.indexOf(","))).isRevoke(x509Cert);
        } catch (Exception e) {
            throw new PKIException(CertAppKitException.API_CRL_DOWNLOAD_ERR, CertAppKitException.API_CRL_DOWNLOAD_ERR_DES, e);
        }
    }

    private static X509CRL getCRLFromLDAP(String str, String str2, String str3, String str4) throws Exception {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", new StringBuffer("ldap://").append(str).append(":").append(str2).toString());
        hashtable.put("java.naming.ldap.attributes.binary", "certificateRevocationList");
        try {
            InitialDirContext initialDirContext = new InitialDirContext(hashtable);
            SearchControls searchControls = new SearchControls();
            searchControls.setSearchScope(2);
            X509CRL x509crl = null;
            try {
                NamingEnumeration search = initialDirContext.search(str3, new StringBuffer("(&(objectclass=cRLDistributionPoint)(cn=").append(str4).append("))").toString(), new String[]{"certificateRevocationList;binary"}, searchControls);
                if (search != null && search.hasMore()) {
                    while (search.hasMore()) {
                        x509crl = new X509CRL((byte[]) ((SearchResult) search.next()).getAttributes().get("certificateRevocationList;binary").get(0));
                    }
                }
                initialDirContext.close();
                return x509crl;
            } catch (Exception e) {
                throw e;
            }
        } catch (NamingException e2) {
            throw e2;
        }
    }

    private static void verifyCertChain(X509Cert[] x509CertArr, String str, Session session) throws PKIException {
        if (x509CertArr.length == 1) {
            if (!x509CertArr[0].getSubject().equals(str)) {
                throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_ERR, CertAppKitException.API_CA_CERT_CHAIN_ERR_DES);
            }
            return;
        }
        for (int i = 0; i < x509CertArr.length; i++) {
            for (int length = x509CertArr.length - 1; length > i; length--) {
                if (x509CertArr[length].getIssuer().equals(x509CertArr[length - 1].getSubject())) {
                    X509Cert x509Cert = x509CertArr[length - 1];
                    x509CertArr[length - 1] = x509CertArr[length];
                    x509CertArr[length] = x509Cert;
                }
            }
        }
        if (!x509CertArr[0].getSubject().equals(str)) {
            throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_ERR, CertAppKitException.API_CA_CERT_CHAIN_ERR_DES);
        }
        for (int i2 = 0; i2 < x509CertArr.length; i2++) {
            if (i2 != x509CertArr.length - 1) {
                if (!x509CertArr[i2].getIssuer().equals(x509CertArr[i2 + 1].getSubject())) {
                    throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_ERR, CertAppKitException.API_CA_CERT_CHAIN_ERR_DES);
                }
                if (!x509CertArr[i2].verify(x509CertArr[i2 + 1].getPublicKey(), session)) {
                    throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_SIGNVERIFY_ERR, CertAppKitException.API_CA_CERT_CHAIN_SIGNVERIFY_ERR_DES);
                }
            } else {
                if (!x509CertArr[i2].getSubject().equals(x509CertArr[i2].getIssuer())) {
                    throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_ERR, CertAppKitException.API_CA_CERT_CHAIN_ERR_DES);
                }
                if (!x509CertArr[i2].verify(x509CertArr[i2].getPublicKey(), session)) {
                    throw new PKIException(CertAppKitException.API_CA_CERT_CHAIN_ERR, CertAppKitException.API_CA_CERT_CHAIN_ERR_DES);
                }
            }
        }
    }

    public static void main(String[] strArr) {
        try {
            JCrypto jCrypto = JCrypto.getInstance();
            jCrypto.initialize(JCrypto.JSOFT_LIB, null);
            jCrypto.openSession(JCrypto.JSOFT_LIB);
            changePfxPWD("c:/superChange.pfx", "1", "c:/superChange.pfx", "111");
        } catch (Exception e) {
            System.out.println(e);
        }
    }
}
