package nbcb.cfca.sadk.x509.certificate;

import java.security.PublicKey;
import java.util.Date;
import java.util.Hashtable;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import nbcb.cfca.sadk.algorithm.common.CertKitException;
import nbcb.cfca.sadk.algorithm.common.PKIException;
import nbcb.cfca.sadk.org.bouncycastle.asn1.x509.CRLDistPoint;
import nbcb.cfca.sadk.org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import nbcb.cfca.sadk.org.bouncycastle.util.encoders.Hex;
import nbcb.cfca.sadk.system.SADKDebugger;
import nbcb.cfca.sadk.system.logging.LoggerManager;
import org.fusesource.jansi.AnsiRenderer;

/* loaded from: input_file:sdklib/nbcb-SADK-3.7.1.0.jar:nbcb/cfca/sadk/x509/certificate/X509CertVerifier.class */
public final class X509CertVerifier {
    private static Map<String, PublicKey> validTrustCerts = new ConcurrentHashMap();
    private static final int maxTrustCerts = 20000;

    public static void updateTrustCertsMap(String str) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMap[trustCertPath]>>>>>>Running: trustCert=" + validTrustCerts.size() + ", trustCerPath=" + str);
        }
        try {
            try {
                updateTrustCertsMap(new X509Cert(str));
                if (LoggerManager.debugLogger.isDebugEnabled()) {
                    LoggerManager.debugLogger.debug("updateTrustCertsMap[trustCertPath]<<<<<<Finished: trustCert=" + validTrustCerts.size());
                }
            } catch (Throwable th) {
                if (LoggerManager.debugLogger.isDebugEnabled()) {
                    LoggerManager.debugLogger.debug("updateTrustCertsMap[trustCertPath]<<<<<<Finished: trustCert=" + validTrustCerts.size());
                }
                throw th;
            }
        } catch (Exception e) {
            LoggerManager.exceptionLogger.error("updateTrustCertsMap[trustCertPath]<<<<<<Failure: trustCertPath=" + str);
            throw new PKIException("updateTrustCertsMap Failure with invalid content trustCertPath=" + str);
        }
    }

    public static void updateTrustCertsMap(X509Cert[] x509CertArr) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMap[X509Certs]>>>>>>Running: trustCert=" + validTrustCerts.size());
        }
        if (x509CertArr != null) {
            for (X509Cert x509Cert : x509CertArr) {
                updateTrustCertsMap(x509Cert);
            }
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMap[X509Certs]<<<<<<Finished: trustCert=" + validTrustCerts.size());
        }
    }

    public static void updateTrustCertsMap(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("updateTrustCertsMap[X509Cert]>>>>>>Running: trustCert=" + validTrustCerts.size());
            stringBuffer.append(SADKDebugger.dump(x509Cert));
        }
        if (isValidAlgorithm(x509Cert)) {
            updateTrustCertsMapBySubjectName(x509Cert);
            updateTrustCertsMapByKeyIdentifier(x509Cert);
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMap[X509Cert]<<<<<<Finished: trustCerts=" + validTrustCerts.size());
        }
    }

    public static void clearTrustCertsMap() {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("clearTrustCertsMap>>>>>>Running: trustCerts=" + validTrustCerts.size());
        }
        validTrustCerts.clear();
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("clearTrustCertsMap<<<<<<Finished: trustCerts=" + validTrustCerts.size());
        }
    }

    public static boolean validateCertSign(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("validateCertSign>>>>>>Running: cert=" + x509Cert);
        }
        try {
            if (x509Cert == null) {
                throw new PKIException("validateCertSign Failure: null not allowed for parameter@cert");
            }
            PublicKey findTrustPublicKey = findTrustPublicKey(x509Cert);
            if (findTrustPublicKey == null) {
                throw new PKIException("validateCertSign Failure: can not get the user issuer's cert");
            }
            boolean verify = x509Cert.verify(findTrustPublicKey);
            if (LoggerManager.debugLogger.isDebugEnabled()) {
                LoggerManager.debugLogger.debug("validateCertSign<<<<<<Finished: verifyResult=" + verify);
            }
            return verify;
        } catch (PKIException e) {
            LoggerManager.exceptionLogger.error("validateCertSign<<<<<<Failure", (Throwable) e);
            throw e;
        } catch (Throwable th) {
            LoggerManager.exceptionLogger.error("validateCertSign<<<<<<Failure", th);
            throw new PKIException("validateCertSign Failure: " + th.getMessage(), th);
        }
    }

    public static boolean verifyCertDate(X509Cert x509Cert) {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("verifyCertDate>>>>>>Running: cert=" + x509Cert);
        }
        if (x509Cert == null) {
            throw new SecurityException("verifyCertDate Failure: null not allowed for parameter@cert");
        }
        Date date = new Date();
        boolean z = true;
        if (date.before(x509Cert.getNotBefore()) || date.after(x509Cert.getNotAfter())) {
            z = false;
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("verifyCertDate<<<<<<Finished: okay=" + z);
        }
        return z;
    }

    public static boolean verifyCertByCRLOutLine(X509Cert x509Cert, String str) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("verifyCertByCRLOutLine>>>>>>Running: crlPath=" + str + ",cert=" + x509Cert);
        }
        if (x509Cert == null) {
            if (LoggerManager.debugLogger.isDebugEnabled()) {
                LoggerManager.debugLogger.debug("verifyCertByCRLOutLine<<<<<<Finished: Required parameter cert");
            }
            throw new PKIException("verifyCertByCRLOutLine Failure: Required parameter cert");
        }
        try {
            boolean z = !new X509CRLFile(str, false).isRevoke(x509Cert.getSerialNumber());
            if (LoggerManager.debugLogger.isDebugEnabled()) {
                LoggerManager.debugLogger.debug("verifyCertByCRLOutLine<<<<<<Finished: isValid=" + z);
            }
            return z;
        } catch (Throwable th) {
            LoggerManager.exceptionLogger.error("verifyCertByCRLOutLine<<<<<<Failure: decodedX509CRLFile ", th);
            throw new PKIException("verifyCertByCRLOutLine Failure when decoded X509CRLFile: " + th.getMessage(), th);
        }
    }

    public static String getCRLPointName(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("getCRLPointName>>>>>>Running: cert=" + x509Cert);
        }
        try {
            CRLDistPoint cRLDistributionPoints = x509Cert.getCRLDistributionPoints();
            if (cRLDistributionPoints == null || cRLDistributionPoints.getDistributionPoints() == null) {
                throw new PKIException(CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR, CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR_NOPOINT);
            }
            int length = cRLDistributionPoints.getDistributionPoints().length;
            String str = null;
            for (int i = 0; i < length; i++) {
                String distributionPointName = cRLDistributionPoints.getDistributionPoints()[i].getDistributionPoint().toString();
                if (distributionPointName.indexOf("ldap://") != -1) {
                    str = distributionPointName;
                }
            }
            if (str == null) {
                throw new PKIException(CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR, CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR_DES);
            }
            if (LoggerManager.debugLogger.isDebugEnabled()) {
                LoggerManager.debugLogger.debug("getCRLPointName<<<<<<Finished: crl=" + str);
            }
            return str;
        } catch (PKIException e) {
            LoggerManager.exceptionLogger.error("getCRLPointName<<<<<<Failure", (Throwable) e);
            throw e;
        } catch (Throwable th) {
            LoggerManager.exceptionLogger.error("getCRLPointName<<<<<<Failure", th);
            throw new PKIException("getCRLPointName Failure", th);
        }
    }

    public static boolean verifyCertByLDAP(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("verifyCertByLDAP>>>>>>Running: cert=" + x509Cert);
        }
        try {
            String cRLPointName = getCRLPointName(x509Cert);
            if (cRLPointName == null) {
                throw new PKIException(CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR, CertKitException.API_NULL_CRL_PATH_IN_CERT_ERR_NOPOINT);
            }
            String substring = cRLPointName.substring(cRLPointName.indexOf("ldap://") + 7, cRLPointName.length());
            int indexOf = substring.indexOf(":");
            String substring2 = substring.substring(0, indexOf);
            String substring3 = substring.substring(indexOf + 1, substring.length());
            int indexOf2 = substring3.indexOf("/");
            String substring4 = substring3.substring(0, indexOf2);
            String substring5 = substring3.substring(indexOf2 + 1, substring3.length());
            try {
                X509CRL downloadCRL = downloadCRL(substring2, substring4, substring5.substring(0, substring5.indexOf("?")), substring5.substring(substring5.indexOf("=") + 1, substring5.indexOf(AnsiRenderer.CODE_LIST_SEPARATOR)));
                if (downloadCRL == null) {
                    throw new PKIException(CertKitException.API_CRL_DOWNLOAD_ERR, CertKitException.API_CRL_DOWNLOAD_ERR_DES);
                }
                boolean z = !downloadCRL.isRevoke(x509Cert.getSerialNumber());
                if (LoggerManager.debugLogger.isDebugEnabled()) {
                    LoggerManager.debugLogger.debug("verifyCertByLDAP<<<<<<Finished: passed=" + z);
                }
                return z;
            } catch (Throwable th) {
                throw new PKIException(CertKitException.API_CRL_DOWNLOAD_ERR, CertKitException.API_CRL_DOWNLOAD_ERR_DES, th);
            }
        } catch (PKIException e) {
            LoggerManager.exceptionLogger.error("verifyCertByLDAP<<<<<<Failure", (Throwable) e);
            throw e;
        } catch (Throwable th2) {
            LoggerManager.exceptionLogger.error("verifyCertByLDAP<<<<<<Failure", th2);
            throw new PKIException("verifyCertByLDAP Failure", th2);
        }
    }

    private static X509CRL downloadCRL(String str, String str2, String str3, String str4) throws Exception {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("downloadCRL::>>>>>>Running");
            stringBuffer.append("\n ip: " + str);
            stringBuffer.append("\n port: " + str2);
            stringBuffer.append("\n dn: " + str3);
            stringBuffer.append("\n cn: " + str4);
            LoggerManager.debugLogger.debug(stringBuffer.toString());
        }
        String str5 = "ldap://" + str + ":" + str2;
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("downloadCRL::::::::ldapUrl=" + str5);
        }
        try {
            Hashtable hashtable = new Hashtable();
            hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
            hashtable.put("java.naming.provider.url", str5);
            hashtable.put("java.naming.ldap.attributes.binary", "certificateRevocationList");
            try {
                InitialDirContext initialDirContext = new InitialDirContext(hashtable);
                SearchControls searchControls = new SearchControls();
                searchControls.setSearchScope(2);
                X509CRL x509crl = null;
                try {
                    NamingEnumeration search = initialDirContext.search(str3, "(&(objectclass=cRLDistributionPoint)(cn=" + str4 + "))", new String[]{"certificateRevocationList;binary"}, searchControls);
                    if (search != null && search.hasMore()) {
                        while (search.hasMore()) {
                            x509crl = new X509CRL((byte[]) ((SearchResult) search.next()).getAttributes().get("certificateRevocationList;binary").get(0));
                        }
                    }
                    initialDirContext.close();
                    X509CRL x509crl2 = x509crl;
                    if (LoggerManager.debugLogger.isDebugEnabled()) {
                        LoggerManager.debugLogger.debug("downloadCRL::::::::ldapUrl=" + str5);
                    }
                    return x509crl2;
                } catch (Throwable th) {
                    throw new Exception("downloadCRL Failure when download: " + th.getMessage(), th);
                }
            } catch (NamingException e) {
                throw new Exception("downloadCRL Failure when InitialDirContext: " + e.getMessage(), e);
            }
        } catch (Throwable th2) {
            if (LoggerManager.debugLogger.isDebugEnabled()) {
                LoggerManager.debugLogger.debug("downloadCRL::::::::ldapUrl=" + str5);
            }
            throw th2;
        }
    }

    private static boolean isValidAlgorithm(X509Cert x509Cert) {
        boolean z;
        boolean z2 = false;
        if (x509Cert != null) {
            try {
                String publicKeyAlgorithmOID = x509Cert.getPublicKeyAlgorithmOID();
                if (!"1.2.840.10045.2.1".equals(publicKeyAlgorithmOID)) {
                    if (!"1.2.840.113549.1.1.1".equals(publicKeyAlgorithmOID)) {
                        z = false;
                        z2 = z;
                    }
                }
                z = true;
                z2 = z;
            } catch (Exception e) {
                z2 = false;
                LoggerManager.exceptionLogger.error("isValidAlgorithm::<<<<<<Failure: " + SADKDebugger.dump(x509Cert), (Throwable) e);
            }
        }
        return z2;
    }

    private static void updateTrustCertsMapBySubjectName(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMapBySubjectName::>>>>>>Running: trustCerts=" + validTrustCerts.size());
        }
        if (x509Cert != null) {
            if (validTrustCerts.size() > 20000) {
                LoggerManager.exceptionLogger.error("updateTrustCertsMapBySubjectName::<<<<<<Failure: validTrustCerts exceed maxTrustCerts=20000");
                throw new PKIException("updateTrustCertsMap Failure with validTrustCerts exceed maxTrustCerts=20000");
            }
            try {
                validTrustCerts.put(x509Cert.getSubject(), x509Cert.getPublicKey());
            } catch (Exception e) {
                LoggerManager.exceptionLogger.error("updateTrustCertsMapBySubjectName::<<<<<<Failure: " + SADKDebugger.dump(x509Cert), (Throwable) e);
            }
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMapBySubjectName::<<<<<<Finished: trustCert=" + validTrustCerts.size());
        }
    }

    private static void updateTrustCertsMapByKeyIdentifier(X509Cert x509Cert) throws PKIException {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMapByKeyIdentifier::>>>>>>Running: trustCerts=" + validTrustCerts.size());
        }
        if (x509Cert != null) {
            if (validTrustCerts.size() > 20000) {
                LoggerManager.exceptionLogger.error("updateTrustCertsMapByKeyIdentifier::<<<<<<Failure: validTrustCerts exceed maxTrustCerts=20000");
                throw new PKIException("updateTrustCertsMap Failure with validTrustCerts exceed maxTrustCerts=20000");
            }
            try {
                SubjectKeyIdentifier subjectKeyIdentifier = x509Cert.getSubjectKeyIdentifier();
                if (subjectKeyIdentifier != null) {
                    validTrustCerts.put(Hex.toHexString(subjectKeyIdentifier.getKeyIdentifier()), x509Cert.getPublicKey());
                }
            } catch (Exception e) {
                LoggerManager.exceptionLogger.error("updateTrustCertsMapByKeyIdentifier::<<<<<<Failure: " + SADKDebugger.dump(x509Cert), (Throwable) e);
            }
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("updateTrustCertsMapByKeyIdentifier::<<<<<<Finished: trustCert=" + validTrustCerts.size());
        }
    }

    private static PublicKey findTrustPublicKey(X509Cert x509Cert) {
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("findTrustPublicKey::>>>>>>Running: cert=" + SADKDebugger.dump(x509Cert));
        }
        PublicKey publicKey = null;
        try {
            if (x509Cert.getAuthorityKeyIdentifier() != null) {
                publicKey = validTrustCerts.get(Hex.toHexString(x509Cert.getAuthorityKeyIdentifier().getKeyIdentifier()));
            }
        } catch (Exception e) {
            LoggerManager.exceptionLogger.error("findTrustPublicKey::<<<<<<Failure find AuthorityKeyIdentifier: " + SADKDebugger.dump(x509Cert), (Throwable) e);
        }
        if (publicKey == null) {
            publicKey = validTrustCerts.get(x509Cert.getIssuer());
        }
        if (LoggerManager.debugLogger.isDebugEnabled()) {
            LoggerManager.debugLogger.debug("findTrustPublicKey::<<<<<<Finished: PublicKey=" + ((Object) SADKDebugger.dump(publicKey)));
        }
        return publicKey;
    }
}
