package cfca.sadk.ofd.base.seal;

import cfca.org.slf4j.Logger;
import cfca.org.slf4j.LoggerFactory;
import cfca.sadk.algorithm.common.Mechanism;
import cfca.sadk.algorithm.sm2.SM2PublicKey;
import cfca.sadk.lib.crypto.bcsoft.BCSoftLib;
import cfca.sadk.ofd.base.asn1.SES_Signature;
import cfca.sadk.ofd.base.asn1.SESeal;
import cfca.sadk.ofd.base.asn1.TBS_Sign;
import cfca.sadk.ofd.base.common.CFCATSAClient;
import cfca.sadk.ofd.base.common.CertVerifyUtil;
import cfca.sadk.ofd.base.common.DateFormatUtil;
import cfca.sadk.ofd.base.common.DateUtil;
import cfca.sadk.ofd.base.common.FileHashUtil;
import cfca.sadk.ofd.base.common.MechanismUtil;
import cfca.sadk.ofd.base.common.ParamCheckUtil;
import cfca.sadk.ofd.base.common.StringUtil;
import cfca.sadk.ofd.base.config.SignInfoConfig;
import cfca.sadk.ofd.base.exception.SealException;
import cfca.sadk.ofd.base.ofd.OFDConstants;
import cfca.sadk.ofd.base.util.SignResultInfo;
import cfca.sadk.ofd.util.SysEnv;
import cfca.sadk.org.bouncycastle.asn1.ASN1GeneralizedTime;
import cfca.sadk.org.bouncycastle.asn1.ASN1Integer;
import cfca.sadk.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import cfca.sadk.org.bouncycastle.asn1.ASN1OctetString;
import cfca.sadk.org.bouncycastle.asn1.ASN1UTCTime;
import cfca.sadk.org.bouncycastle.asn1.DERBitString;
import cfca.sadk.org.bouncycastle.asn1.DERIA5String;
import cfca.sadk.org.bouncycastle.asn1.DEROctetString;
import cfca.sadk.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import cfca.sadk.org.bouncycastle.util.encoders.Base64;
import cfca.sadk.util.Signature;
import cfca.sadk.x509.certificate.X509Cert;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;

/* loaded from: input_file:cfca/sadk/ofd/base/seal/OFDSignatureUtil.class */
public class OFDSignatureUtil {
    private static Logger businessLog = LoggerFactory.getLogger(OFDSignatureUtil.class);

    public static List<byte[]> sign(byte[] bArr, String str, SESeal sESeal, Date date, SignInfoConfig signInfoConfig) throws SealException {
        TBS_Sign tBS_Sign;
        CFCATSAClient tsaClient;
        CFCATSAClient tsaClient2;
        long currentTimeMillis = System.currentTimeMillis();
        businessLog.info("package ofd signature start...");
        ArrayList arrayList = new ArrayList();
        if (null == bArr) {
            throw new IllegalArgumentException("sourceHash is null");
        }
        if (StringUtil.isEmpty(str)) {
            throw new IllegalArgumentException("sourceProperty is null");
        }
        if (null == sESeal) {
            throw new IllegalArgumentException("eseal is null");
        }
        X509Cert signCert = signInfoConfig.getSignCert();
        if (null == signCert) {
            throw new IllegalArgumentException("signCert is null");
        }
        Mechanism signAlg = signInfoConfig.getSignAlg();
        try {
            if (null == signAlg) {
                throw new IllegalArgumentException("signAlg is null");
            }
            try {
                ASN1Integer aSN1Integer = new ASN1Integer(OFDConstants.GBVersion);
                DERBitString dERBitString = new DERBitString(bArr);
                DERIA5String dERIA5String = new DERIA5String(str);
                DEROctetString dEROctetString = new DEROctetString(signCert.getEncoding());
                ASN1ObjectIdentifier aSN1ObjectIdentifier = new ASN1ObjectIdentifier(Mechanism.getAlgorithmIdentifier(signAlg.getMechanismType()).getAlgorithm().getId());
                if (SysEnv.isSignTimeUseTST() && (tsaClient2 = signInfoConfig.getTsaClient()) != null) {
                    try {
                        date = CFCATSAClient.parseTime(tsaClient2.getGM20520Token(bArr));
                        businessLog.info("use timestamp time for sign time.");
                    } catch (Exception e) {
                        businessLog.error("getTimeStamp failed", e);
                    }
                }
                int specification = signInfoConfig.getSpecification();
                boolean z = specification == 4 || specification == 3 || (specification == -1 && (SysEnv.isGBType() || SysEnv.isForTax()));
                if (z) {
                    tBS_Sign = new TBS_Sign(aSN1Integer, sESeal, new ASN1GeneralizedTime(date), dERBitString, dERIA5String, (ASN1OctetString) dEROctetString, aSN1ObjectIdentifier);
                } else {
                    ASN1Integer aSN1Integer2 = new ASN1Integer(OFDConstants.GMVersion);
                    if (specification == 2 || SysEnv.isAnKeType()) {
                        aSN1Integer2 = new ASN1Integer(OFDConstants.ANKEVersion);
                    }
                    DERBitString dERBitString2 = new DERBitString(DateUtil.getUTCTime(date));
                    CFCATSAClient tsaClient3 = signInfoConfig.getTsaClient();
                    if (tsaClient3 != null) {
                        try {
                            dERBitString2 = new DERBitString(tsaClient3.getGM20520Token(bArr));
                        } catch (Exception e2) {
                            businessLog.error("getTimeStamp failed", e2);
                        }
                    }
                    tBS_Sign = new TBS_Sign(aSN1Integer2, sESeal, dERBitString2, dERBitString, dERIA5String, (ASN1OctetString) dEROctetString, aSN1ObjectIdentifier);
                }
                byte[] encoded = tBS_Sign.getEncoded();
                SM2PublicKey sM2PublicKey = null;
                if (signCert.isSM2Cert()) {
                    sM2PublicKey = (SM2PublicKey) signCert.getPublicKey();
                }
                byte[] calculateHash = FileHashUtil.calculateHash(encoded, signAlg, sM2PublicKey);
                byte[] bytes = OFDConstants.emptyDataHash.getBytes("UTF-8");
                DERBitString dERBitString3 = null;
                byte[] bArr2 = null;
                if (!signInfoConfig.isAsyn()) {
                    SignResultInfo p1Sign = signInfoConfig.getSigner().p1Sign(signInfoConfig, calculateHash);
                    if (!p1Sign.isSignResult()) {
                        throw new SealException("p1Sign failed", p1Sign.getFailReason());
                    }
                    bytes = p1Sign.getSignData();
                    if ((z || SysEnv.isGBType()) && (tsaClient = signInfoConfig.getTsaClient()) != null) {
                        try {
                            bArr2 = tsaClient.getGM20520Token(bytes);
                            dERBitString3 = new DERBitString(bArr2);
                        } catch (Exception e3) {
                            businessLog.error("getTimeStamp failed", e3);
                        }
                    }
                }
                if (checkSignTime(bArr2, date)) {
                    throw new SealException("TSA time is after local time!");
                }
                SES_Signature sES_Signature = new SES_Signature(tBS_Sign, dEROctetString, aSN1ObjectIdentifier, new DERBitString(bytes), dERBitString3);
                sES_Signature.setGBType(z);
                arrayList.add(sES_Signature.getEncoded());
                arrayList.add(calculateHash);
                businessLog.info("package ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                return arrayList;
            } catch (SealException e4) {
                businessLog.error("package ofd signature failed:", e4);
                throw e4;
            } catch (Exception e5) {
                businessLog.error("package ofd signature failed:", e5);
                throw new SealException("package ofd signature failed:", e5);
            }
        } catch (Throwable th) {
            businessLog.info("package ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
            throw th;
        }
    }

    public static SealVerifyResult verify(byte[] bArr, byte[] bArr2, int i) throws Exception {
        Date signTimeString;
        boolean[] certKeyUsage;
        long currentTimeMillis = System.currentTimeMillis();
        businessLog.info("verify ofd signature start...");
        try {
            try {
                SealVerifyResult sealVerifyResult = new SealVerifyResult();
                SES_Signature sES_Signature = SES_Signature.getInstance(bArr2);
                TBS_Sign toSign = sES_Signature.getToSign();
                X509Cert x509Cert = new X509Cert(sES_Signature.getCert().getOctets());
                ASN1ObjectIdentifier signatureAlgorithm = sES_Signature.getSignatureAlgorithm();
                SESeal eseal = toSign.getEseal();
                byte[] timeInfoData = toSign.getTimeInfoData();
                try {
                    signTimeString = timeInfoData.length > 50 ? CFCATSAClient.parseTime(timeInfoData) : toSign.getTimeInfoType() == 2 ? ASN1GeneralizedTime.getInstance(timeInfoData).getDate() : new ASN1UTCTime(new String(timeInfoData, "UTF-8")).getDate();
                } catch (Exception e) {
                    signTimeString = new DateFormatUtil().getSignTimeString(new String(timeInfoData, "UTF-8"));
                }
                if (sES_Signature.getTimestamp() != null && checkSignTime(sES_Signature.getTimestamp().getBytes(), signTimeString)) {
                    sealVerifyResult.setFailReason("TSA time is after sign time!");
                    sealVerifyResult.setFailType(9);
                    checkResult(sealVerifyResult);
                    businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                    return sealVerifyResult;
                }
                sealVerifyResult.setSignTime(signTimeString);
                businessLog.info("signTime is:" + new DateFormatUtil().getDateString(signTimeString));
                if ((i & 2) == 2 && !CertVerifyUtil.verifyCertSign(x509Cert)) {
                    sealVerifyResult.setFailReason("signCert is not trusted!");
                    sealVerifyResult.setFailType(3);
                    checkResult(sealVerifyResult);
                    businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                    return sealVerifyResult;
                }
                if ((i & 4) == 4 && CertVerifyUtil.verifyByCRL(x509Cert, signTimeString)) {
                    sealVerifyResult.setFailReason("signCert is revoked at " + new DateFormatUtil().getDateString(signTimeString));
                    sealVerifyResult.setFailType(4);
                    checkResult(sealVerifyResult);
                    businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                    return sealVerifyResult;
                }
                if ((i & 8) == 8 && (null == (certKeyUsage = CertVerifyUtil.getCertKeyUsage(x509Cert)) || !certKeyUsage[0])) {
                    sealVerifyResult.setFailReason("signCert's keyUsage not contain digitalSignature! " + Arrays.toString(certKeyUsage));
                    sealVerifyResult.setFailType(5);
                    checkResult(sealVerifyResult);
                    businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                    return sealVerifyResult;
                }
                ParamCheckUtil.checkCertValidity(signTimeString, x509Cert, i);
                SealCheckUtil.checkSeal(eseal, x509Cert, signTimeString, i);
                if (!new Signature().p1VerifyMessage(Mechanism.getSignatureAlgName(new AlgorithmIdentifier(signatureAlgorithm)), toSign.getEncoded(), sES_Signature.getSignature().getBytes(), x509Cert.getPublicKey(), BCSoftLib.INSTANCE())) {
                    sealVerifyResult.setFailReason("signature verify failed!");
                    sealVerifyResult.setFailType(2);
                    checkResult(sealVerifyResult);
                    businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                    return sealVerifyResult;
                }
                Mechanism signMechanism = MechanismUtil.getSignMechanism(signatureAlgorithm);
                byte[] calculateHash = FileHashUtil.calculateHash(bArr, signMechanism, null);
                byte[] bytes = toSign.getDataHash().getBytes();
                if (!Arrays.equals(calculateHash, bytes)) {
                    boolean z = false;
                    if (x509Cert.isSM2Cert()) {
                        calculateHash = FileHashUtil.calculateHash(bArr, signMechanism, x509Cert.getPublicKey());
                        if (Arrays.equals(calculateHash, bytes)) {
                            z = true;
                        }
                    }
                    if (!z) {
                        businessLog.error("orignHash=" + Base64.toBase64String(bytes));
                        businessLog.error("input sourceHash=" + Base64.toBase64String(calculateHash));
                        sealVerifyResult.setFailReason("origin hash is not equals!");
                        sealVerifyResult.setFailType(6);
                        checkResult(sealVerifyResult);
                        businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                        return sealVerifyResult;
                    }
                }
                sealVerifyResult.setVerifyResult(true);
                businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                return sealVerifyResult;
            } catch (Throwable th) {
                businessLog.info("verify ofd signature end...cost= " + (System.currentTimeMillis() - currentTimeMillis) + " ms");
                throw th;
            }
        } catch (SealException e2) {
            businessLog.error("verify ofd signature failed:", e2);
            throw e2;
        } catch (Exception e3) {
            businessLog.error("verify ofd signature failed:", e3);
            throw new SealException("verify ofd signature failed:", e3);
        }
    }

    private static void checkResult(SealVerifyResult sealVerifyResult) throws SealException {
        if (!sealVerifyResult.getVerifyResult() && SysEnv.isVerifyFailedThrowException()) {
            throw new SealException(sealVerifyResult.getFailReason());
        }
    }

    private static boolean checkSignTime(byte[] bArr, Date date) throws IOException, SealException {
        boolean z = false;
        if (bArr != null) {
            Date parseTime = CFCATSAClient.parseTime(bArr);
            if (date.after(parseTime)) {
                businessLog.error("signTime is " + date + ", TSATime is " + parseTime);
                z = true;
            }
        }
        return z;
    }
}
