package cn.topca.api.cert;

import cn.tca.TopBasicCrypto.asn1.ASN1ObjectIdentifier;
import cn.tca.TopBasicCrypto.asn1.ASN1Sequence;
import cn.tca.TopBasicCrypto.asn1.cms.AttributeTable;
import cn.tca.TopBasicCrypto.asn1.cms.CMSAttributes;
import cn.tca.TopBasicCrypto.asn1.pkcs.PKCSObjectIdentifiers;
import cn.tca.TopBasicCrypto.cert.X509CertificateHolder;
import cn.tca.TopBasicCrypto.cms.CMSException;
import cn.tca.TopBasicCrypto.cms.SignerId;
import cn.tca.TopBasicCrypto.util.Selector;
import cn.topca.core.ext.bc.asn1.cms.CMSObjectIdentifiers;
import cn.topca.core.ext.bc.cms.CMSEnvelopedData;
import cn.topca.core.ext.bc.cms.CMSSignedData;
import cn.topca.core.ext.bc.cms.RecipientInformation;
import cn.topca.core.ext.bc.cms.SignerInformation;
import cn.topca.core.ext.bc.cms.jcajce.JceKeyTransEnvelopedRecipient;
import cn.topca.security.x509.AlgorithmId;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:cn/topca/api/cert/Pkcs7.class */
public class Pkcs7 {
    private ASN1ObjectIdentifier pkcs7Type;
    private CMSEnvelopedData cmsEnvelopedData;
    private CMSSignedData cmsSignedData;
    private static final String h1 = "-----BEGIN PKCS7-----";
    private static final String e1 = "-----END PKCS7-----";
    private static LicenseMgr licMgr = LicenseMgr.getInstance();
    private static KeyStoreMgr keyMgr = KeyStoreMgr.getInstance();

    public Pkcs7(String str) throws CertApiException {
        init(TCAUtil.decode(str.contains(h1) ? str.replaceAll(h1, "").replaceAll(e1, "") : str));
    }

    public Pkcs7(byte[] bArr) throws CertApiException {
        init(bArr);
    }

    private void init(byte[] bArr) throws CertApiException {
        ASN1ObjectIdentifier objectAt = ASN1Sequence.getInstance(bArr).getObjectAt(0);
        if (objectAt.equals(CMSObjectIdentifiers.signedData) || objectAt.equals(CMSObjectIdentifiers.gm_signedData)) {
            this.pkcs7Type = PKCSObjectIdentifiers.signedData;
            try {
                this.cmsSignedData = new CMSSignedData(bArr);
                return;
            } catch (CMSException e) {
                throw new CertApiException(TCAErrCode.ERR_CMS_BADSIGN, e);
            }
        }
        if (objectAt.equals(CMSObjectIdentifiers.envelopedData) || objectAt.equals(CMSObjectIdentifiers.gm_envelopedData)) {
            this.pkcs7Type = PKCSObjectIdentifiers.encryptedData;
            try {
                this.cmsEnvelopedData = new CMSEnvelopedData(bArr);
                return;
            } catch (CMSException e2) {
                throw new CertApiException(TCAErrCode.ERR_GENERATE_ENVELOPDATA, e2);
            }
        }
        if (objectAt.equals(CMSObjectIdentifiers.signedAndEnvelopedData) || objectAt.equals(CMSObjectIdentifiers.gm_signedAndEnvelopedData)) {
            throw new CertApiException(TCAErrCode.ERR_CONTENTTYPE);
        }
        if (objectAt.equals(CMSObjectIdentifiers.digestedData) || objectAt.equals(CMSObjectIdentifiers.gm_digestedData)) {
            throw new CertApiException(TCAErrCode.ERR_CONTENTTYPE);
        }
        if (!objectAt.equals(CMSObjectIdentifiers.encryptedData) && !objectAt.equals(CMSObjectIdentifiers.gm_encryptedData)) {
            throw new CertApiException(TCAErrCode.ERR_CONTENTTYPE);
        }
        throw new CertApiException(TCAErrCode.ERR_CONTENTTYPE);
    }

    public byte[] contentMessage() throws CertApiException {
        if (!this.pkcs7Type.equals(PKCSObjectIdentifiers.signedData)) {
            throw new CertApiException(TCAErrCode.ERR_BAD_PKCS7TYPE);
        }
        if (this.cmsSignedData.getSignedContent() == null) {
            return null;
        }
        return (byte[]) this.cmsSignedData.getSignedContent().getContent();
    }

    public Certificate verify() throws CertApiException {
        if (this.pkcs7Type.equals(PKCSObjectIdentifiers.signedData)) {
            return doVerify(contentMessage(), doGetCerts());
        }
        throw new CertApiException(TCAErrCode.ERR_BAD_PKCS7TYPE);
    }

    public Certificate verify(byte[] bArr) throws CertApiException {
        if (this.pkcs7Type.equals(PKCSObjectIdentifiers.signedData)) {
            return doVerify(bArr, doGetCerts());
        }
        throw new CertApiException(TCAErrCode.ERR_BAD_PKCS7TYPE);
    }

    public byte[] decryptMessage() throws CertApiException {
        if (!this.pkcs7Type.equals(PKCSObjectIdentifiers.encryptedData)) {
            throw new CertApiException(TCAErrCode.ERR_BAD_PKCS7TYPE);
        }
        ArrayList arrayList = (ArrayList) this.cmsEnvelopedData.getRecipientInfos().getRecipients();
        if (arrayList.size() == 0) {
            throw new CertApiException(TCAErrCode.ERR_PKCS7_NORECIPIENT);
        }
        CertSet listAllCerts = CertStore.listAllCerts();
        if (listAllCerts.size() == 0) {
            throw new CertApiException(TCAErrCode.ERR_PKCS7_DECRYPT_NOCERT);
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            RecipientInformation recipientInformation = (RecipientInformation) it.next();
            String upperCase = Hex.encodeHexString(recipientInformation.getRID().getSerialNumber().toByteArray()).toUpperCase();
            CertSet byIssuer = listAllCerts.bySerialnumber(upperCase).byIssuer(recipientInformation.getRID().getIssuer().toString());
            if (byIssuer.size() != 0) {
                X509Certificate convB64Str2Cert = TCAUtil.convB64Str2Cert(byIssuer.get(0).toBase64());
                if (!licMgr.certWithLicense(convB64Str2Cert)) {
                    throw new CertApiException(TCAErrCode.ERR_CERT_UNLIC);
                }
                try {
                    return recipientInformation.getContent(new JceKeyTransEnvelopedRecipient(keyMgr.getPriKeyByCert(convB64Str2Cert)));
                } catch (CMSException e) {
                    throw new CertApiException(TCAErrCode.ERR_DEC_PKCS7, e);
                }
            }
        }
        return null;
    }

    public CertSet getCerts() throws CertApiException {
        if (!this.pkcs7Type.equals(PKCSObjectIdentifiers.signedData)) {
            throw new CertApiException(TCAErrCode.ERR_BAD_PKCS7TYPE);
        }
        ArrayList doGetCerts = doGetCerts();
        Certificate[] certificateArr = new Certificate[doGetCerts.size()];
        for (int i = 0; i < doGetCerts.size(); i++) {
            try {
                certificateArr[i] = new Certificate(((X509CertificateHolder) doGetCerts.get(0)).getEncoded());
            } catch (IOException e) {
                throw new CertApiException(TCAErrCode.ERR_CONV_CERT, e);
            }
        }
        return new CertSet(certificateArr);
    }

    private Certificate doVerify(byte[] bArr, ArrayList arrayList) throws CertApiException {
        if (bArr == null) {
            throw new CertApiException(TCAErrCode.ERR_PKCS7_VERIFY_NOPLAIN);
        }
        if (arrayList == null || arrayList.size() == 0) {
            throw new CertApiException(TCAErrCode.ERR_PKCS7_VERIFY_NOCERT);
        }
        ArrayList arrayList2 = (ArrayList) this.cmsSignedData.getSignerInfos().getSigners();
        if (arrayList2.size() == 0) {
            throw new CertApiException(TCAErrCode.ERR_PKCS7_NOSIGNER);
        }
        for (int i = 0; i < arrayList2.size(); i++) {
            SignerInformation signerInformation = (SignerInformation) arrayList2.get(0);
            SignerId sid = signerInformation.getSID();
            for (int i2 = 0; i2 < arrayList.size(); i2++) {
                X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) arrayList.get(0);
                if (sid.match(x509CertificateHolder)) {
                    try {
                        X509Certificate convBin2Cert = TCAUtil.convBin2Cert(x509CertificateHolder.getEncoded());
                        if (verifySignerInfo(bArr, signerInformation, convBin2Cert.getPublicKey())) {
                            return new Certificate(convBin2Cert.getEncoded());
                        }
                    } catch (IOException e) {
                        throw new CertApiException(TCAErrCode.ERR_STREAM, e);
                    } catch (CertificateEncodingException e2) {
                        throw new CertApiException(TCAErrCode.ERR_ENCODECERT, e2);
                    }
                }
            }
        }
        return null;
    }

    private boolean verifySignerInfo(byte[] bArr, SignerInformation signerInformation, PublicKey publicKey) throws CertApiException {
        String str;
        byte[] SHA256;
        String str2 = publicKey.getAlgorithm().equalsIgnoreCase(TCA.SM2) ? TCA.SM2 : "RSA";
        if (signerInformation.getDigestAlgOID().equals(AlgorithmId.SM3_oid.toString())) {
            str = TCA.SM3;
        } else if (signerInformation.getDigestAlgOID().equals(AlgorithmId.SHA_oid.toString())) {
            str = TCA.SHA1;
        } else {
            if (!signerInformation.getDigestAlgOID().equals(AlgorithmId.SHA256_oid.toString())) {
                throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
            }
            str = TCA.SHA256;
        }
        String str3 = str + "With" + str2;
        try {
            Signature signature = str2.equalsIgnoreCase(TCA.SM2) ? Signature.getInstance(str3, TCAUtil.getSm2Provider()) : Signature.getInstance(str3, TCAUtil.getBcProvider());
            signature.initVerify(publicKey);
            byte[] bArr2 = bArr;
            if (signerInformation.getSignedAttributes() != null) {
                AttributeTable signedAttributes = signerInformation.getSignedAttributes();
                if (signedAttributes.size() != 3) {
                    throw new CertApiException(TCAErrCode.ERR_PKCS7_ATTR_ERR);
                }
                if (signedAttributes.get(CMSAttributes.contentType) == null) {
                    throw new CertApiException(TCAErrCode.ERR_PKCS7_NOFOUND_CT);
                }
                if (signedAttributes.get(CMSAttributes.signingTime) == null) {
                    throw new CertApiException(TCAErrCode.ERR_PKCS7_NOFOUND_ST);
                }
                if (signedAttributes.get(CMSAttributes.messageDigest) == null) {
                    throw new CertApiException(TCAErrCode.ERR_PKCS7_NOFOUND_MD);
                }
                byte[] octets = signerInformation.getSignedAttributes().get(CMSAttributes.messageDigest).getAttrValues().getObjectAt(0).getOctets();
                signedAttributes.get(CMSAttributes.messageDigest).getAttrValues().getObjectAt(0).getDERObject().toASN1Object();
                if (str.equalsIgnoreCase(TCA.SM3)) {
                    SHA256 = TCAUtil.SM3(bArr);
                } else if (str.equalsIgnoreCase(TCA.SHA1)) {
                    SHA256 = TCAUtil.SHA1(bArr);
                } else {
                    if (!str.equalsIgnoreCase(TCA.SHA256)) {
                        throw new CertApiException(TCAErrCode.ERR_INVALID_ALGPARAMET);
                    }
                    SHA256 = TCAUtil.SHA256(bArr);
                }
                if (!Arrays.equals(octets, SHA256)) {
                    throw new CertApiException(TCAErrCode.ERR_PKCS7_MD_VERIFY);
                }
                try {
                    bArr2 = signerInformation.getEncodedSignedAttributes();
                } catch (IOException e) {
                    throw new CertApiException(TCAErrCode.ERR_STREAM, e);
                }
            }
            try {
                signature.update(bArr2);
                return signature.verify(signerInformation.getSignature());
            } catch (SignatureException e2) {
                throw new CertApiException(TCAErrCode.ERR_PKCS7_VERIFY_FAILD, e2);
            }
        } catch (InvalidKeyException e3) {
            throw new CertApiException(TCAErrCode.ERR_INVALID_KEY, e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new CertApiException(TCAErrCode.ERR_UNKNOWN_ALG, e4);
        }
    }

    private ArrayList doGetCerts() {
        return (ArrayList) this.cmsSignedData.getCertificates().getMatches((Selector) null);
    }
}
