package com.itrus.cvm;

import com.itrus.cert.X509Certificate;
import com.itrus.cryptorole.CryptoException;
import com.itrus.util.CertUtils;
import com.itrus.util.FileUtils;
import com.itrus.util.RegexUtils;
import com.itrus.util.SystemUtils;
import com.tencent.connect.common.Constants;
import java.io.BufferedOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.util.Enumeration;
import java.util.Hashtable;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.entity.mime.MIME;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.OCSPReqGenerator;
import org.bouncycastle.ocsp.OCSPResp;
import org.bouncycastle.ocsp.RevokedStatus;
import org.bouncycastle.ocsp.SingleResp;
import org.bouncycastle.ocsp.UnknownStatus;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: classes.dex */
public class CVM implements CertificateStatus {
    private static Log log = LogFactory.getLog("ITRUS-CVM");
    private static Hashtable crlContexts = null;
    private static String DEFAULT_CONFIG_FILE_NAME = "cvm.xml";
    private static String configFileName = null;
    private static String OCSP_PROVIDER = "BC";

    public static synchronized void addSupportCA(X509Certificate x509Certificate, String str, String str2, boolean z) throws IOException, CertificateException, NoSuchProviderException {
        synchronized (CVM.class) {
            try {
                addSupportCA(x509Certificate, (X509CRL) null, str, str2, z);
            } catch (CRLException e) {
                throw new IOException(e.getMessage());
            }
        }
    }

    public static synchronized void addSupportCA(X509Certificate x509Certificate, X509CRL x509crl, String str, String str2, boolean z) throws IOException, CertificateException, NoSuchProviderException, CRLException {
        synchronized (CVM.class) {
            addSupportCA(x509Certificate, x509crl, str, str2, z, false);
        }
    }

    public static synchronized void addSupportCA(X509Certificate x509Certificate, X509CRL x509crl, String str, String str2, boolean z, boolean z2) throws IOException, CertificateException, NoSuchProviderException, CRLException {
        synchronized (CVM.class) {
            if (x509Certificate == null) {
                throw new IOException("CACert is null");
            }
            if (crlContexts == null) {
                crlContexts = new Hashtable();
            }
            if (crlContexts.get(x509Certificate.getSubjectDNString()) != null) {
                log.info("(addSupportCA)[" + x509Certificate.getSubjectDNString() + "]已存在。");
            } else {
                CRLContextConfInfo cRLContextConfInfo = new CRLContextConfInfo();
                String absolutePath = SystemUtils.getJavaIoTmpDir().getAbsolutePath();
                String str3 = String.valueOf(absolutePath) + SystemUtils.FILE_SEPARATOR + x509Certificate.getCertID() + ".cer";
                String str4 = String.valueOf(absolutePath) + SystemUtils.FILE_SEPARATOR + x509Certificate.getCertID() + ".crl";
                if (!FileUtils.exists(str3)) {
                    FileUtils.saveBytesToFile(x509Certificate.getEncoded(), str3);
                }
                if (x509crl != null && !FileUtils.exists(str4)) {
                    FileUtils.saveBytesToFile(x509crl.getEncoded(), str4);
                }
                cRLContextConfInfo.setCAFilePath(str3);
                cRLContextConfInfo.setCRLFilePath(str4);
                cRLContextConfInfo.setCRLUrl(str);
                int[] iArr = (int[]) null;
                if (str2 != null && !str2.equals("")) {
                    String[] split = str2.split(",");
                    iArr = new int[split.length];
                    for (int i = 0; i < split.length; i++) {
                        iArr[i] = Integer.parseInt(split[i].trim());
                    }
                }
                cRLContextConfInfo.setRetryPolicy(iArr);
                cRLContextConfInfo.setNotCheckCRL(z);
                cRLContextConfInfo.setTimingDownload(z2);
                CRLContext cRLContext = new CRLContext(cRLContextConfInfo);
                crlContexts.put(cRLContext.getCaCert().getSubjectDNString(), cRLContext);
                log.debug("CVM.addSupportCA，增加CA[" + cRLContext.getCaCert().getSubjectDNString() + "]");
            }
        }
    }

    public static synchronized void addSupportCA(String str, String str2, String str3, boolean z) throws CertificateException, NoSuchProviderException, IOException {
        synchronized (CVM.class) {
            addSupportCA(str, str2, str3, z, false);
        }
    }

    public static synchronized void addSupportCA(String str, String str2, String str3, boolean z, boolean z2) throws CertificateException, NoSuchProviderException, IOException {
        synchronized (CVM.class) {
            if (RegexUtils.matchesIgnoreCase(str, ".*(.cer|.crt|.pem)$")) {
                X509Certificate instanceFromFile = X509Certificate.getInstanceFromFile(str);
                if (crlContexts == null) {
                    crlContexts = new Hashtable();
                }
                if (crlContexts.get(instanceFromFile.getSubjectDNString()) != null) {
                    log.info("(addSupportCA)[" + instanceFromFile.getSubjectDNString() + "]已存在。");
                } else {
                    CRLContextConfInfo cRLContextConfInfo = new CRLContextConfInfo();
                    String replaceLastIgnoreCase = RegexUtils.replaceLastIgnoreCase(str, ".cer|.crt|.pem", ".crl");
                    cRLContextConfInfo.setCAFilePath(str);
                    cRLContextConfInfo.setCRLFilePath(replaceLastIgnoreCase);
                    cRLContextConfInfo.setCRLUrl(str2);
                    int[] iArr = (int[]) null;
                    if (str3 != null && !str3.equals("")) {
                        String[] split = str3.split(",");
                        iArr = new int[split.length];
                        for (int i = 0; i < split.length; i++) {
                            iArr[i] = Integer.parseInt(split[i].trim());
                        }
                    }
                    cRLContextConfInfo.setRetryPolicy(iArr);
                    cRLContextConfInfo.setNotCheckCRL(z);
                    cRLContextConfInfo.setTimingDownload(z2);
                    CRLContext cRLContext = new CRLContext(cRLContextConfInfo);
                    crlContexts.put(cRLContext.getCaCert().getSubjectDNString(), cRLContext);
                    log.debug("CVM.addSupportCA，增加CA[" + cRLContext.getCaCert().getSubjectDNString() + "]");
                }
            } else {
                log.error("(addSupportCA)第一个参数必须是后缀名为.cer或者.crt或者.pem的证书文件的绝对路径！");
            }
        }
    }

    public static synchronized void clear() {
        synchronized (CVM.class) {
            if (crlContexts != null) {
                crlContexts.clear();
            }
        }
    }

    public static void config(String str) {
        if (crlContexts != null) {
            log.debug("CVM已经初始化。" + configFileName);
        } else {
            configFileName = str;
            init();
        }
    }

    public static CRLContext getCRLContext(String str) {
        return (CRLContext) crlContexts.get(str);
    }

    public static Hashtable getCRLContexts() {
        return crlContexts;
    }

    private static synchronized void init() {
        synchronized (CVM.class) {
            try {
                crlContexts = new CVMConfigFactory().getCRLContextHashtable(configFileName);
                log.debug("CVM初始化成功。");
            } catch (Exception e) {
                log.error(e, e);
            }
        }
    }

    public static String listCRLContexts() {
        StringBuffer stringBuffer = new StringBuffer();
        if (crlContexts == null) {
            stringBuffer.append("CVM初始化失败，没有支持的CA。");
        } else {
            Enumeration keys = crlContexts.keys();
            while (keys.hasMoreElements()) {
                String str = (String) keys.nextElement();
                CRLContext cRLContext = (CRLContext) crlContexts.get(str);
                stringBuffer.append("-----BEGIN CRLContext-----\r\n");
                stringBuffer.append("SubjectDN=[" + str + "]\r\n");
                stringBuffer.append("CaFileName=[" + cRLContext.getCAFilePath() + "]\r\n");
                stringBuffer.append("CrlFileName=[" + cRLContext.getCrlFilePath() + "]\r\n");
                stringBuffer.append("CRLExist=[" + (cRLContext.getX509CRL() != null) + "]\r\n");
                stringBuffer.append("CrlUrl=[" + cRLContext.getCrlUrl() + "]\r\n");
                stringBuffer.append("UserCrlUrl=[" + cRLContext.getUserCrlUrl() + "]\r\n");
                int[] retryPolicy = cRLContext.getRetryPolicy();
                StringBuffer stringBuffer2 = new StringBuffer();
                for (int i = 0; i < retryPolicy.length; i++) {
                    if (i == 0) {
                        stringBuffer2.append(retryPolicy[i]);
                    } else {
                        stringBuffer2.append("," + retryPolicy[i]);
                    }
                }
                stringBuffer.append("RetryPolicy=[" + stringBuffer2.toString() + "]\r\n");
                stringBuffer.append("NotCheckCRL=[" + cRLContext.isNotCheckCRL() + "]\r\n");
                stringBuffer.append("-----END CRLContext-----\r\n");
            }
        }
        return stringBuffer.toString();
    }

    public static void reconfig(String str) {
        log.debug("读取配置文件，重新初始化CVM。");
        Enumeration keys = crlContexts.keys();
        while (keys.hasMoreElements()) {
            ((CRLContext) crlContexts.get((String) keys.nextElement())).cancelTimingDownload();
        }
        crlContexts = null;
        config(str);
    }

    public static synchronized void removeSupportCA(X509Certificate x509Certificate) {
        synchronized (CVM.class) {
            if (crlContexts != null && crlContexts.containsKey(x509Certificate.getSubjectDNString())) {
                log.debug("(removeSupportCA)删除CA支持[" + x509Certificate.getSubjectDNString() + "]");
                crlContexts.remove(x509Certificate.getSubjectDNString());
            }
        }
    }

    public static synchronized void removeSupportCA(String str) {
        synchronized (CVM.class) {
            if (crlContexts != null && crlContexts.containsKey(str)) {
                log.debug("(removeSupportCA)删除CA支持[" + str + "]");
                crlContexts.remove(str);
            }
        }
    }

    public static int verifyCertificate(java.security.cert.X509Certificate x509Certificate) {
        if (crlContexts == null) {
            if (configFileName == null) {
                String replaceAll = CVM.class.getResource("/").getPath().replaceAll("%20", " ");
                int indexOf = replaceAll.indexOf("classes");
                if (indexOf >= 0) {
                    replaceAll = replaceAll.substring(0, indexOf);
                }
                configFileName = String.valueOf(replaceAll) + DEFAULT_CONFIG_FILE_NAME;
                log.info("自动初始化，使用默认配置文件[" + configFileName + "]");
            }
            init();
            if (crlContexts == null) {
                log.error("严重系统错误，CVM初始化失败，请检查配置文件和日志。");
                return -1;
            }
        }
        X509Certificate x509Certificate2 = null;
        try {
            x509Certificate2 = X509Certificate.getInstance(x509Certificate);
        } catch (Exception e) {
            e.printStackTrace();
        }
        log.debug("查找支持的CA[" + x509Certificate2.getIssuerDNString() + "]");
        CRLContext cRLContext = (CRLContext) crlContexts.get(x509Certificate2.getIssuerDNString());
        if (cRLContext == null) {
            log.info("不支持的颁发者=[" + x509Certificate2.getIssuerDNString() + "]，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
            return 3;
        }
        if (!x509Certificate2.verify(cRLContext.getCaCert())) {
            log.info("(" + cRLContext.getCaAlias() + ")验证CA签名失败，疑是伪造证书，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
            return 4;
        }
        com.itrus.cert.X509CRL x509crl = cRLContext.getX509CRL(x509Certificate2.getCRLDistributionPointURL());
        if (x509crl == null) {
            log.error("(" + cRLContext.getCaAlias() + ")无法获取CRL，请检查配置文件和网络。");
            return 5;
        }
        if (x509crl.isRevoked(x509Certificate2)) {
            if (CertUtils.isValid(x509Certificate2)) {
                log.info("(" + cRLContext.getCaAlias() + ")证书已吊销，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
                return 2;
            }
            log.info("(" + cRLContext.getCaAlias() + ")证书已被吊销而且已过期，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
            return 6;
        }
        if (!x509Certificate2.isOnValidPeriod()) {
            log.info("(" + cRLContext.getCaAlias() + ")证书已过期，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
            return 1;
        }
        String accountHash = cRLContext.getAccountHash();
        if (accountHash == null || accountHash.equalsIgnoreCase(x509Certificate2.getAccountHash())) {
            log.debug("(" + cRLContext.getCaAlias() + ")证书状态有效，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
            return 0;
        }
        log.info("AccountHash不匹配，Cert's AccountHash=[" + x509Certificate2.getAccountHash() + "]，RA's AccountHash=[" + accountHash + "]，Cert's SubjectDN=[" + x509Certificate2.getSubjectDNString() + "]");
        return 8;
    }

    public static int verifyCertificate(java.security.cert.X509Certificate x509Certificate, java.security.cert.X509Certificate x509Certificate2, String str) throws OCSPException, IOException, CryptoException {
        Security.addProvider(new BouncyCastleProvider());
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            if (!CertUtils.isOnValidPeriod(x509Certificate)) {
                return 1;
            }
            try {
                CertificateID certificateID = new CertificateID(CertificateID.HASH_SHA1, x509Certificate2, x509Certificate.getSerialNumber());
                OCSPReqGenerator oCSPReqGenerator = new OCSPReqGenerator();
                oCSPReqGenerator.addRequest(certificateID);
                byte[] encoded = oCSPReqGenerator.generate().getEncoded();
                HttpURLConnection httpURLConnection = null;
                try {
                    log.debug("ocspUrlStr=" + str);
                    boolean matches = RegexUtils.matches(str, "^http+s?://.*:.*@.*");
                    String str2 = null;
                    if (matches) {
                        String exceptMatches = RegexUtils.exceptMatches(str, "^http+s?://+|:.*@.*$");
                        String exceptMatches2 = RegexUtils.exceptMatches(str, "^http+s?://.*:+|@[^@]*$");
                        str = RegexUtils.exceptMatches(str, String.valueOf(exceptMatches) + ":" + exceptMatches2 + "@");
                        str2 = "Basic " + new String(Base64.encode((String.valueOf(exceptMatches) + ":" + exceptMatches2).getBytes()));
                        Authenticator.setDefault(new SimpleAuthenticator(exceptMatches, exceptMatches2));
                        log.debug("userName=" + exceptMatches + ", password=" + exceptMatches2 + ", ocspUrlStr=" + str + ", BASE64 Authorization=" + str2);
                    }
                    httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
                    httpURLConnection.setRequestMethod(Constants.HTTP_POST);
                    httpURLConnection.setRequestProperty(MIME.CONTENT_TYPE, "application/ocsp-request");
                    httpURLConnection.setRequestProperty("Accept", "application/ocsp-response");
                    if (matches) {
                        httpURLConnection.setRequestProperty("Authorization", str2);
                    }
                    httpURLConnection.setDoOutput(true);
                    DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(httpURLConnection.getOutputStream()));
                    dataOutputStream.write(encoded);
                    dataOutputStream.flush();
                    dataOutputStream.close();
                    int responseCode = httpURLConnection.getResponseCode();
                    if (responseCode / 100 != 2) {
                        throw new IOException("Http status not ok, code=" + responseCode);
                    }
                    OCSPResp oCSPResp = new OCSPResp(httpURLConnection.getInputStream());
                    if (oCSPResp.getStatus() != 0) {
                        String str3 = "";
                        switch (oCSPResp.getStatus()) {
                            case 1:
                                str3 = "Illegal confirmation request";
                                break;
                            case 2:
                                str3 = "Internal error in issuer";
                                break;
                            case 3:
                                str3 = "Try again later";
                                break;
                            case 4:
                                str3 = "(4) not used";
                                break;
                            case 5:
                                str3 = "Must sign the request";
                                break;
                            case 6:
                                str3 = "Request unauthorized";
                                break;
                        }
                        OCSPException oCSPException = new OCSPException("Response status(" + oCSPResp.getStatus() + ") not zero. The reason is \"" + str3 + "\".");
                        oCSPException.setOCSPResponseStatus(oCSPResp.getStatus());
                        throw oCSPException;
                    }
                    try {
                        try {
                            BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
                            X509Certificate[] x509CertificateArr = new X509Certificate[1];
                            if (!basicOCSPResp.verify(basicOCSPResp.getCerts(OCSP_PROVIDER)[0].getPublicKey(), OCSP_PROVIDER)) {
                                throw new OCSPException("failed to verify OCSP Signature.");
                            }
                            SingleResp[] responses = basicOCSPResp.getResponses();
                            log.debug("basicOCSPResp.getProducedAt()=" + basicOCSPResp.getProducedAt().toLocaleString());
                            log.debug("singleResps[0].getThisUpdate()=" + responses[0].getThisUpdate().toLocaleString());
                            log.debug("singleResps[0].getNextUpdate()=" + responses[0].getNextUpdate().toLocaleString());
                            if (responses[0].getCertStatus() == null) {
                                httpURLConnection.disconnect();
                                return 0;
                            }
                            Object certStatus = responses[0].getCertStatus();
                            if (certStatus instanceof RevokedStatus) {
                                RevokedStatus revokedStatus = (RevokedStatus) certStatus;
                                log.debug("revocationTime=" + revokedStatus.getRevocationTime().toLocaleString());
                                log.debug("revocationReason=" + revokedStatus.getRevocationReason());
                                httpURLConnection.disconnect();
                                return 2;
                            }
                            if (!(certStatus instanceof UnknownStatus)) {
                                httpURLConnection.disconnect();
                                return 7;
                            }
                            System.out.println("UnknownStatus：" + ((UnknownStatus) certStatus).toString());
                            httpURLConnection.disconnect();
                            return 7;
                        } catch (NoSuchProviderException e) {
                            throw new CryptoException(e);
                        }
                    } catch (org.bouncycastle.ocsp.OCSPException e2) {
                        throw new CryptoException(e2);
                    }
                } catch (Throwable th) {
                    httpURLConnection.disconnect();
                    throw th;
                }
            } catch (org.bouncycastle.ocsp.OCSPException e3) {
                throw new OCSPException(e3);
            }
        } catch (InvalidKeyException e4) {
            return 4;
        } catch (NoSuchAlgorithmException e5) {
            throw new CryptoException(e5);
        } catch (NoSuchProviderException e6) {
            throw new CryptoException(e6);
        } catch (SignatureException e7) {
            throw new CryptoException(e7);
        } catch (CertificateException e8) {
            throw new CryptoException(e8);
        }
    }
}
