package cn.com.infosec.netsigninterface;

import cn.com.infosec.asn1.x509.X509Extensions;
import cn.com.infosec.crypto.digests.SHA1Digest;
import cn.com.infosec.jce.PKCS7EnvelopedData;
import cn.com.infosec.jce.PKCS7SignedData;
import cn.com.infosec.jce.exception.CertificateNotMatchException;
import cn.com.infosec.jce.exception.DecryptDataException;
import cn.com.infosec.jce.exception.DecryptKeyException;
import cn.com.infosec.jce.exception.EncryptAlgException;
import cn.com.infosec.jce.exception.EncryptDataException;
import cn.com.infosec.jce.exception.EncryptKeyException;
import cn.com.infosec.jce.exception.WriteEnvDataException;
import cn.com.infosec.jce.provider.InfosecProvider;
import cn.com.infosec.jce.provider.JCESM2PrivateKey;
import cn.com.infosec.jce.provider.JCESM2PublicKey;
import cn.com.infosec.netsign.der.util.PKCS7SignedDataParser;
import cn.com.infosec.netsigninterface.exceptions.InvalidCertificateException;
import cn.com.infosec.netsigninterface.exceptions.PKCS7ParseException;
import cn.com.infosec.netsigninterface.exceptions.RAWSignException;
import cn.com.infosec.netsigninterface.exceptions.ServerKeyStoreException;
import cn.com.infosec.netsigninterface.exceptions.VerifyPlainSignedMsgException;
import cn.com.infosec.netsigninterface.resource.NetSignRes;
import cn.com.infosec.netsigninterface.util.ConsoleLogger;
import cn.com.infosec.netsigninterface.util.GZipUtil;
import cn.com.infosec.netsigninterface.util.TrustCerts;
import cn.com.infosec.netsigninterface.util.TrustConfig;
import cn.com.infosec.util.Base64;
import com.infosec.NetSignServer;
import com.infosec.NetSignX509CRL;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CRLException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.DateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.StringTokenizer;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.x509.RSAPublicKeyStructure;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.SignerId;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.Selector;

/* loaded from: input_file:cn/com/infosec/netsigninterface/NetSignImpl.class */
public class NetSignImpl {
    private byte[] ContentData;
    private X509Certificate signingCert;
    private X509Certificate encCert;
    private String[] certinfo;
    private String[] enccertinfo;
    private static DERObjectIdentifier mdOID;
    private DateFormat df = null;
    private PKCS7SignedData p7sd = null;
    private PKCS7EnvelopedData p7ed = null;

    static {
        Security.addProvider(new InfosecProvider());
        mdOID = new DERObjectIdentifier("1.2.840.113549.1.9.4");
    }

    public void setDateFormat(DateFormat dateFormat) {
        this.df = dateFormat;
    }

    public byte[] hash1Base64(byte[] bArr) throws IOException {
        return Base64.encode(sha1hash(bArr)).getBytes();
    }

    private static byte[] sha1hash(byte[] bArr) {
        SHA1Digest sHA1Digest = new SHA1Digest();
        byte[] bArr2 = new byte[sHA1Digest.getDigestSize()];
        sHA1Digest.update(bArr, 0, bArr.length);
        sHA1Digest.doFinal(bArr2, 0);
        return bArr2;
    }

    private static String getOrg(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ",");
        String str2 = null;
        while (stringTokenizer.hasMoreElements()) {
            String str3 = (String) stringTokenizer.nextElement();
            int indexOf = str3.indexOf("o=");
            int i = indexOf;
            if (indexOf == -1) {
                int indexOf2 = str3.indexOf("O=");
                i = indexOf2;
                if (indexOf2 != -1) {
                }
            }
            str2 = str3.substring(i + 2, str3.length());
        }
        return str2;
    }

    private void getEncCert() {
        this.enccertinfo = new String[5];
        this.enccertinfo[0] = this.encCert.getSubjectDN().getName();
        this.enccertinfo[1] = this.encCert.getIssuerDN().getName();
        if (this.df == null) {
            this.enccertinfo[2] = new Date(this.encCert.getNotBefore().getTime()).toString();
        } else {
            this.enccertinfo[2] = this.df.format(this.encCert.getNotBefore());
        }
        if (this.df == null) {
            this.enccertinfo[3] = new Date(this.encCert.getNotAfter().getTime()).toString();
        } else {
            this.enccertinfo[3] = this.df.format(this.encCert.getNotAfter());
        }
        this.enccertinfo[4] = this.encCert.getSerialNumber().toString(16).toUpperCase();
    }

    private void getSignCert() {
        this.certinfo = new String[5];
        this.certinfo[0] = this.signingCert.getSubjectDN().getName();
        this.certinfo[1] = this.signingCert.getIssuerDN().getName();
        if (this.df == null) {
            this.certinfo[2] = new Date(this.signingCert.getNotBefore().getTime()).toString();
        } else {
            this.certinfo[2] = this.df.format(this.signingCert.getNotBefore());
        }
        if (this.df == null) {
            this.certinfo[3] = new Date(this.signingCert.getNotAfter().getTime()).toString();
        } else {
            this.certinfo[3] = this.df.format(this.signingCert.getNotAfter());
        }
        this.certinfo[4] = this.signingCert.getSerialNumber().toString(16).toUpperCase();
    }

    public String getCertExtensionValue(String str) {
        return CRLDPDEC.getExtern(this.signingCert.getExtensionValue(str));
    }

    public String getSignCertInfo(int i) {
        return this.certinfo[i - 1];
    }

    public String getEncCertInfo(int i) {
        return this.enccertinfo[i - 1];
    }

    public byte[] getContentData() {
        return this.ContentData;
    }

    public static String getVersion() {
        return NetSignRes.PRODUCT_VERSION;
    }

    public X509Certificate getSignCertEntity() {
        return this.signingCert;
    }

    public byte[] GenerateSingleSignedMsg(byte[] bArr, ServerKeyStore serverKeyStore, boolean z) throws ServerKeyStoreException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, IOException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException(NetSignRes.PLAINDATA_IS_NULL);
        }
        PrivateKey privateKey = serverKeyStore.getPrivateKey();
        return PKCS7SignedDataUtil.generatePKCS7SignedData(bArr, privateKey, getDigestAlg(privateKey), NetSignServer.sm2SignID, getSignCert(serverKeyStore), serverKeyStore.getCertChain(), z);
    }

    public byte[] generateILBERSignedData(byte[] bArr, ServerKeyStore serverKeyStore, boolean z) throws ServerKeyStoreException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CMSException {
        CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
        X509Certificate[] certChain = serverKeyStore.getCertChain();
        ArrayList arrayList = new ArrayList();
        for (X509Certificate x509Certificate : certChain) {
            arrayList.add(x509Certificate);
        }
        try {
            JcaCertStore jcaCertStore = new JcaCertStore(arrayList);
            CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
            cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("INFOSEC").build()).build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("INFOSEC").build(serverKeyStore.getPrivateKey()), certChain[0]));
            cMSSignedDataGenerator.addCertificates(jcaCertStore);
            return cMSSignedDataGenerator.generate(cMSProcessableByteArray, !z).getEncoded();
        } catch (IOException e) {
            throw new SignatureException(new StringBuffer("Signature failed:").append(e.toString()).toString());
        } catch (CertificateEncodingException e2) {
            throw new CMSException(new StringBuffer("CMS encode certificate failed:").append(e2.toString()).toString());
        } catch (OperatorCreationException e3) {
            throw new CMSException(new StringBuffer("CMS failed:").append(e3.toString()).toString());
        }
    }

    private X509Certificate getSignCert(ServerKeyStore serverKeyStore) throws ServerKeyStoreException {
        String certDN = serverKeyStore.getCertDN();
        X509Certificate[] certChain = serverKeyStore.getCertChain();
        if (certChain.length == 1) {
            return certChain[0];
        }
        int length = certChain.length;
        for (int i = 0; i < length; i++) {
            if (certChain[i].getSubjectDN().getName().equals(certDN)) {
                return certChain[i];
            }
        }
        return null;
    }

    private String getDigestAlg(PrivateKey privateKey) {
        return privateKey instanceof RSAPrivateKey ? ((RSAPrivateKey) privateKey).getModulus().toByteArray().length <= 129 ? NetSignServer.defaultDigestAlg_RSA1024 : NetSignServer.defaultDigestAlg_RSA2048 : privateKey instanceof JCESM2PrivateKey ? NetSignServer.defaultDigestAlg_SM2 : NetSignServer.defaultDigestAlg_RSA1024;
    }

    private String getDigestAlg(PublicKey publicKey) {
        return publicKey instanceof RSAPublicKey ? ((RSAPublicKey) publicKey).getModulus().toByteArray().length <= 129 ? NetSignServer.defaultDigestAlg_RSA1024 : NetSignServer.defaultDigestAlg_RSA2048 : publicKey instanceof JCESM2PublicKey ? NetSignServer.defaultDigestAlg_SM2 : NetSignServer.defaultDigestAlg_RSA1024;
    }

    private static boolean verify(PublicKey publicKey, byte[] bArr, byte[] bArr2, String str, byte[] bArr3) throws VerifyPlainSignedMsgException {
        try {
            return SignatureUtil.verify(bArr, bArr2, publicKey, str, bArr3);
        } catch (Exception e) {
            throw new VerifyPlainSignedMsgException(new StringBuffer("Verify  Error:").append(e.getMessage()).toString());
        }
    }

    public byte[] rawSign(ServerKeyStore serverKeyStore, byte[] bArr, byte[] bArr2) throws RAWSignException {
        try {
            PrivateKey privateKey = serverKeyStore.getPrivateKey();
            return SignatureUtil.sign(bArr, privateKey, getDigestAlg(privateKey), bArr2, serverKeyStore.getSignCert());
        } catch (Exception e) {
            e.printStackTrace(System.out);
            throw new RAWSignException(new StringBuffer("Sign Error:").append(e.getMessage()).toString());
        }
    }

    public void VerifySinglePlainSignedMsg(byte[] bArr, byte[] bArr2, TrustCerts trustCerts, Map map, X509Certificate x509Certificate, byte[] bArr3, byte[] bArr4, boolean z, boolean z2) throws CRLException, InvalidCertificateException, VerifyPlainSignedMsgException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException(NetSignRes.P7DATA_IS_NULL);
        }
        this.signingCert = x509Certificate;
        this.ContentData = bArr2;
        getSignCert();
        if (trustCerts == null) {
            throw new InvalidCertificateException("-10057");
        }
        verifyCert(x509Certificate, map, trustCerts, bArr4, z, z2);
        if (!verify(x509Certificate.getPublicKey(), bArr2, bArr, getDigestAlg(x509Certificate.getPublicKey()), bArr3)) {
            throw new InvalidCertificateException("-10060");
        }
    }

    public byte[] VerifySingleSignedMsg(byte[] bArr, byte[] bArr2, TrustCerts trustCerts, Map map, byte[] bArr3, byte[] bArr4, boolean z, boolean z2) throws CRLException, CertificateException, InvalidCertificateException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, PKCS7ParseException {
        if (bArr2 == null || bArr2.length == 0) {
            throw new InvalidParameterException(NetSignRes.P7DATA_IS_NULL);
        }
        try {
            cn.com.infosec.netsign.der.util.PKCS7SignedData parse = PKCS7SignedDataParser.parse(bArr2, "INFOSEC");
            this.signingCert = parse.getSignCert();
            getSignCert();
            if (trustCerts == null) {
                throw new InvalidCertificateException("-10057");
            }
            verifyCert(this.signingCert, map, trustCerts, bArr4, z, z2);
            String digestAlgName = OIDUtil.getDigestAlgName(parse.getDigestAlgOid());
            try {
                this.ContentData = parse.getContent();
                if (this.ContentData == null || this.ContentData.length == 0) {
                    this.ContentData = bArr;
                }
                if (SignatureUtil.verify(this.ContentData, parse.getSignature(), this.signingCert.getPublicKey(), digestAlgName, bArr3)) {
                    return this.ContentData;
                }
                throw new SignatureException(NetSignRes.NETSIGN_VERIFY_ERROR);
            } catch (SignatureException e) {
                throw e;
            }
        } catch (NoSuchProviderException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        } catch (Exception e4) {
            e4.printStackTrace(System.out);
            throw new PKCS7ParseException(e4.toString());
        }
    }

    public byte[] afterwardsAttachedVerify(byte[] bArr, TrustCerts trustCerts) throws CRLException, CertificateException, InvalidCertificateException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
        byte[] bArr2;
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException(NetSignRes.P7DATA_IS_NULL);
        }
        try {
            bArr2 = GZipUtil.unzip(bArr);
        } catch (Exception e) {
            bArr2 = bArr;
        }
        try {
            this.p7sd = new PKCS7SignedData(bArr2);
            this.signingCert = this.p7sd.getSigningCertificate();
            getSignCert();
            byte[] contentData = this.p7sd.getContentData();
            if (trustCerts == null) {
                throw new InvalidCertificateException("-10057");
            }
            verifyCertAfterWards(this.signingCert, trustCerts);
            try {
                this.p7sd.update(contentData, 0, contentData.length);
                if (!this.p7sd.verify()) {
                    throw new SignatureException(NetSignRes.NETSIGN_VERIFY_ERROR);
                }
                this.ContentData = this.p7sd.getContentData();
                return contentData;
            } catch (SignatureException e2) {
                throw e2;
            }
        } catch (SecurityException e3) {
            throw e3;
        } catch (InvalidKeyException e4) {
            throw e4;
        } catch (NoSuchAlgorithmException e5) {
            throw e5;
        } catch (NoSuchProviderException e6) {
            throw e6;
        } catch (CRLException e7) {
            throw e7;
        } catch (CertificateException e8) {
            throw e8;
        }
    }

    public byte[] MSEnvelopedandSigned(byte[] bArr, ServerKeyStore serverKeyStore, X509Certificate x509Certificate, int i) throws ServerKeyStoreException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, WriteEnvDataException, EncryptKeyException, EncryptDataException, EncryptAlgException, CertificateException, InvalidCertificateException, IOException {
        return composeSingleEnvelopedMsg(GenerateSingleSignedMsg(bArr, serverKeyStore, false), x509Certificate, i);
    }

    public byte[] MSDecrypedandVerify(byte[] bArr, ServerKeyStore serverKeyStore, TrustCerts trustCerts, Map map) throws CRLException, CertificateException, InvalidCertificateException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidCertificateException, ServerKeyStoreException, DecryptKeyException, DecryptDataException, CertificateException, CertificateNotMatchException, PKCS7ParseException {
        return VerifySingleSignedMsg(null, decomposeSingleEnvelopedMsg(bArr, serverKeyStore), trustCerts, map, NetSignServer.sm2SignID, NetSignServer.sm2CertID, true, true);
    }

    public String Base64Encode(byte[] bArr) throws IOException {
        return Base64.encode(bArr);
    }

    public byte[] Base64Deccode(String str) throws IOException {
        return Base64.decode(str);
    }

    private boolean isCertRevoked(TrustCerts trustCerts, X509Certificate x509Certificate, Map map) {
        String str = null;
        TrustConfig trustConfig = (TrustConfig) trustCerts.getCerts().get(x509Certificate.getIssuerDN().getName());
        String str2 = trustConfig.getcrldir();
        if (str2 == null || str2.equals("")) {
            return false;
        }
        String iscrldp = trustConfig.iscrldp();
        HashMap hashMap = (HashMap) map.get(trustConfig.getcrldir());
        boolean z = false;
        if (!iscrldp.equals("0")) {
            return verifyallcrls(x509Certificate, hashMap);
        }
        try {
            str = CRLDPDEC.getcrldp(x509Certificate.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()));
        } catch (Exception e) {
        }
        if (str == null) {
            return verifyallcrls(x509Certificate, hashMap);
        }
        NetSignServer.lastCRLPortal = new StringBuffer(String.valueOf(str)).append(".crl").toString();
        NetSignX509CRL netSignX509CRL = (NetSignX509CRL) hashMap.get(new StringBuffer(String.valueOf(str)).append(".crl").toString());
        if (netSignX509CRL == null) {
            return false;
        }
        if (netSignX509CRL.isRevoked(x509Certificate)) {
            z = true;
        }
        return z;
    }

    private boolean isCertRevokedforyongyou(TrustConfig trustConfig, X509Certificate x509Certificate, Map map) {
        String str = null;
        String str2 = trustConfig.getcrldir();
        if (str2 == null || str2.equals("")) {
            return false;
        }
        String iscrldp = trustConfig.iscrldp();
        HashMap hashMap = (HashMap) map.get(str2);
        boolean z = false;
        if (!iscrldp.equals("0")) {
            return verifyallcrls(x509Certificate, hashMap);
        }
        try {
            str = CRLDPDEC.getcrldp(x509Certificate.getExtensionValue(X509Extensions.CRLDistributionPoints.getId()));
        } catch (Exception e) {
        }
        if (str == null) {
            return verifyallcrls(x509Certificate, hashMap);
        }
        NetSignServer.lastCRLPortal = new StringBuffer(String.valueOf(str)).append(".crl").toString();
        NetSignX509CRL netSignX509CRL = (NetSignX509CRL) hashMap.get(new StringBuffer(String.valueOf(str)).append(".crl").toString());
        if (netSignX509CRL == null) {
            return false;
        }
        if (netSignX509CRL.isRevoked(x509Certificate)) {
            z = true;
        }
        return z;
    }

    private boolean verifyallcrls(X509Certificate x509Certificate, HashMap hashMap) {
        boolean z = false;
        Object[] array = hashMap.values().toArray();
        NetSignServer.lastCRLPortal = null;
        int i = 0;
        while (true) {
            if (i >= array.length) {
                break;
            }
            if (((NetSignX509CRL) array[i]).isRevoked(x509Certificate)) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }

    private BigInteger getIssuerKid(X509Certificate x509Certificate) {
        byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
        if (extensionValue == null || extensionValue.length == 0) {
            return BigInteger.ZERO;
        }
        byte[] bArr = new byte[extensionValue.length - 6];
        System.arraycopy(extensionValue, 6, bArr, 0, bArr.length);
        return new BigInteger(bArr);
    }

    private void verifyCertAfterWards(X509Certificate x509Certificate, TrustCerts trustCerts) throws InvalidCertificateException {
        String principal = x509Certificate.getIssuerDN().toString();
        BigInteger issuerKid = getIssuerKid(x509Certificate);
        TrustConfig[] trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? principal : new StringBuffer(String.valueOf(principal)).append(":subjectkid=").append(issuerKid.toString()).toString());
        if (trustConfig == null) {
            StringTokenizer stringTokenizer = new StringTokenizer(principal, ",");
            String[] strArr = new String[stringTokenizer.countTokens()];
            int i = 0;
            while (stringTokenizer.hasMoreElements()) {
                strArr[i] = stringTokenizer.nextToken();
                i++;
            }
            StringBuffer stringBuffer = new StringBuffer();
            for (int length = strArr.length - 1; length > 0; length--) {
                stringBuffer.append(strArr[length].trim());
                stringBuffer.append(",");
            }
            stringBuffer.append(strArr[0]);
            String stringBuffer2 = stringBuffer.toString();
            trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? stringBuffer2 : new StringBuffer(String.valueOf(stringBuffer2)).append(":subjectkid=").append(issuerKid.toString()).toString());
            if (trustConfig == null) {
                StringTokenizer stringTokenizer2 = new StringTokenizer(stringBuffer2, ",");
                String[] strArr2 = new String[stringTokenizer2.countTokens()];
                int i2 = 0;
                while (stringTokenizer2.hasMoreElements()) {
                    strArr2[i2] = stringTokenizer2.nextToken();
                    i2++;
                }
                StringBuffer stringBuffer3 = new StringBuffer();
                for (int length2 = strArr2.length - 1; length2 > 0; length2--) {
                    stringBuffer3.append(strArr2[length2]);
                    stringBuffer3.append(",");
                }
                stringBuffer3.append(strArr2[0]);
                String stringBuffer4 = stringBuffer3.toString();
                trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? stringBuffer4 : new StringBuffer(String.valueOf(stringBuffer4)).append(":subjectkid=").append(issuerKid.toString()).toString());
            }
        }
        if (trustConfig == null || trustConfig.length == 0) {
            throw new InvalidCertificateException("-10054");
        }
        int i3 = 0;
        if (0 == 0) {
            Exception exc = null;
            for (TrustConfig trustConfig2 : trustConfig) {
                i3 = 0;
                PublicKey publicKey = trustConfig2.getrootcert().getPublicKey();
                if (publicKey != null) {
                    try {
                        x509Certificate.verify(publicKey);
                        if (0 == 0) {
                            break;
                        }
                    } catch (Exception e) {
                        exc = e;
                        i3 = -10055;
                    }
                }
            }
            if (i3 == -10055 && exc != null) {
                ConsoleLogger.logException(exc);
            }
        }
        if (i3 != 0) {
            throw new InvalidCertificateException(new StringBuffer(String.valueOf(i3)).toString());
        }
    }

    private void verifyCert(X509Certificate x509Certificate, Map map, TrustCerts trustCerts, byte[] bArr, boolean z, boolean z2) throws InvalidCertificateException {
        String principal = x509Certificate.getIssuerDN().toString();
        BigInteger issuerKid = getIssuerKid(x509Certificate);
        TrustConfig[] trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? principal : new StringBuffer(String.valueOf(principal)).append(":subjectkid=").append(issuerKid.toString()).toString());
        if (trustConfig == null) {
            StringTokenizer stringTokenizer = new StringTokenizer(principal, ",");
            String[] strArr = new String[stringTokenizer.countTokens()];
            int i = 0;
            while (stringTokenizer.hasMoreElements()) {
                strArr[i] = stringTokenizer.nextToken();
                i++;
            }
            StringBuffer stringBuffer = new StringBuffer();
            for (int length = strArr.length - 1; length > 0; length--) {
                stringBuffer.append(strArr[length].trim());
                stringBuffer.append(",");
            }
            stringBuffer.append(strArr[0]);
            String stringBuffer2 = stringBuffer.toString();
            trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? stringBuffer2 : new StringBuffer(String.valueOf(stringBuffer2)).append(":subjectkid=").append(issuerKid.toString()).toString());
            if (trustConfig == null) {
                StringTokenizer stringTokenizer2 = new StringTokenizer(stringBuffer2, ",");
                String[] strArr2 = new String[stringTokenizer2.countTokens()];
                int i2 = 0;
                while (stringTokenizer2.hasMoreElements()) {
                    strArr2[i2] = stringTokenizer2.nextToken();
                    i2++;
                }
                StringBuffer stringBuffer3 = new StringBuffer();
                for (int length2 = strArr2.length - 1; length2 > 0; length2--) {
                    stringBuffer3.append(strArr2[length2]);
                    stringBuffer3.append(",");
                }
                stringBuffer3.append(strArr2[0]);
                String stringBuffer4 = stringBuffer3.toString();
                trustConfig = trustCerts.getCerts().getTrustConfig(issuerKid.equals(BigInteger.ZERO) ? stringBuffer4 : new StringBuffer(String.valueOf(stringBuffer4)).append(":subjectkid=").append(issuerKid.toString()).toString());
            }
        }
        if (trustConfig == null || trustConfig.length == 0) {
            throw new InvalidCertificateException("-10054");
        }
        int i3 = 0;
        if (z2) {
            try {
                x509Certificate.checkValidity();
            } catch (Exception e) {
                ConsoleLogger.logException(e);
                i3 = -10055;
            }
        }
        if (i3 == 0) {
            Exception exc = null;
            int i4 = 0;
            int length3 = trustConfig.length;
            while (true) {
                if (i4 >= length3) {
                    break;
                }
                i3 = 0;
                if (map != null && z && isCertRevokedforyongyou(trustConfig[i4], x509Certificate, map)) {
                    i3 = -10056;
                    break;
                }
                PublicKey publicKey = trustConfig[i4].getrootcert().getPublicKey();
                try {
                    if (publicKey instanceof JCESM2PublicKey) {
                        verifySM2Cert(x509Certificate, publicKey, bArr);
                    } else {
                        x509Certificate.verify(publicKey);
                    }
                } catch (Exception e2) {
                    exc = e2;
                    i3 = -10055;
                }
                if (0 == 0) {
                    break;
                } else {
                    i4++;
                }
            }
            if (i3 == -10055 && exc != null) {
                ConsoleLogger.logException(exc);
            }
        }
        if (i3 != 0) {
            throw new InvalidCertificateException(new StringBuffer(String.valueOf(i3)).toString());
        }
    }

    private void verifySM2Cert(X509Certificate x509Certificate, PublicKey publicKey, byte[] bArr) throws SignatureException, CertificateEncodingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
        if (!SignatureUtil.verify(x509Certificate.getTBSCertificate(), x509Certificate.getSignature(), publicKey, "SM3", bArr)) {
            throw new SignatureException("Certificate verify failed.");
        }
    }

    public byte[] composeSingleEnvelopedMsg(byte[] bArr, X509Certificate x509Certificate, int i) throws InvalidCertificateException, NoSuchProviderException, CertificateException, EncryptAlgException, EncryptDataException, EncryptKeyException, WriteEnvDataException {
        PKCS7EnvelopedData pKCS7EnvelopedData = new PKCS7EnvelopedData();
        if (x509Certificate == null) {
            throw new InvalidCertificateException(NetSignRes.CERTIFICATE_ERROR);
        }
        return pKCS7EnvelopedData.encrypt(bArr, x509Certificate, i);
    }

    public byte[] decomposeSingleEnvelopedMsg(byte[] bArr, ServerKeyStore serverKeyStore) throws CertificateException, InvalidCertificateException, InvalidKeyException, CertificateNotMatchException, DecryptKeyException, DecryptDataException, CRLException, ServerKeyStoreException, NoSuchAlgorithmException, NoSuchProviderException {
        if (bArr == null || bArr.length == 0) {
            throw new InvalidParameterException(NetSignRes.P7ENVDATA_IS_NULL);
        }
        X509Certificate x509Certificate = serverKeyStore.getCertChain()[0];
        this.encCert = x509Certificate;
        getEncCert();
        PrivateKey privateKey = serverKeyStore.getPrivateKey();
        this.p7ed = new PKCS7EnvelopedData();
        try {
            byte[] decrypt = this.p7ed.decrypt(bArr, x509Certificate, privateKey);
            this.ContentData = decrypt;
            return decrypt;
        } catch (Exception e) {
            throw new DecryptDataException(new StringBuffer("Can not decrypt:").append(e.toString()).toString());
        }
    }

    public void verifyILBERAttachedSignature(byte[] bArr, TrustCerts trustCerts, Map map) throws CMSException, NoSuchAlgorithmException, IOException, SignatureException, NoSuchProviderException, InvalidCertificateException, CertificateException {
        CMSSignedData cMSSignedData = new CMSSignedData(bArr);
        CMSProcessableByteArray signedContent = cMSSignedData.getSignedContent();
        if (signedContent == null) {
            throw new CMSException("No plaintext in the PKCS#7 signeddata");
        }
        this.ContentData = (byte[]) signedContent.getContent();
        ConsoleLogger.logBinary("conetent", this.ContentData);
        SignerInformationStore signerInfos = cMSSignedData.getSignerInfos();
        if (((SignerInformation[]) signerInfos.getSigners().toArray(new SignerInformation[0])).length == 0) {
            throw new CMSException("No signerinfo in the PKCS#7 signeddata");
        }
        SignerInformation signerInformation = (SignerInformation) signerInfos.getSigners().toArray(new SignerInformation[0])[0];
        byte[] encodedSignedAttributes = signerInformation.getEncodedSignedAttributes();
        ConsoleLogger.logBinary("Encoded Signed Attributes", encodedSignedAttributes);
        byte[] signature = signerInformation.getSignature();
        if ((255 & signature[0]) > 121) {
            byte[] bArr2 = new byte[signature.length + 1];
            System.arraycopy(signature, 0, bArr2, 1, signature.length);
            signature = bArr2;
        }
        ConsoleLogger.logBinary("signed", signature);
        SignerId sid = signerInformation.getSID();
        byte[] issuerAsBytes = sid.getIssuerAsBytes();
        BigInteger serialNumber = sid.getSerialNumber();
        ArrayList arrayList = (ArrayList) cMSSignedData.getCertificates().getMatches((Selector) null);
        ConsoleLogger.logString(new StringBuffer("size of cert list:").append(arrayList.size()).toString());
        if (arrayList == null || arrayList.size() == 0) {
            throw new CMSException("Size of certificates in the PKCS#7 signeddata is zero");
        }
        X509CertificateHolder x509CertificateHolder = null;
        if (arrayList.size() != 1) {
            int i = 0;
            int size = arrayList.size();
            while (true) {
                if (i >= size) {
                    break;
                }
                X509CertificateHolder x509CertificateHolder2 = (X509CertificateHolder) arrayList.get(i);
                if (Arrays.equals(x509CertificateHolder2.getIssuer().getEncoded(), issuerAsBytes) && x509CertificateHolder2.getSerialNumber().equals(serialNumber)) {
                    x509CertificateHolder = x509CertificateHolder2;
                    break;
                }
                i++;
            }
        } else {
            x509CertificateHolder = (X509CertificateHolder) arrayList.get(0);
        }
        if (x509CertificateHolder == null) {
            throw new CMSException(new StringBuffer("No certificate whose IssuerAndSerailNumber is:").append(sid.getIssuerAsString()).append(sid.getSerialNumber().toString(16)).toString());
        }
        try {
            this.signingCert = (X509Certificate) CertificateFactory.getInstance("X.509", "INFOSEC").generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
            getSignCert();
            if (trustCerts == null) {
                throw new InvalidCertificateException("-10057");
            }
            verifyCert(this.signingCert, map, trustCerts, null, true, true);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            byte[] digest = messageDigest.digest(this.ContentData);
            ConsoleLogger.logBinary("Content digest", digest);
            if (encodedSignedAttributes != null && encodedSignedAttributes.length > 0) {
                byte[] encoded = signerInformation.getSignedAttributes().get(mdOID).getEncoded();
                ConsoleLogger.logBinary("Content digest in p7", encoded);
                for (int i2 = 0; i2 < 20; i2++) {
                    if (digest[19 - i2] != encoded[(encoded.length - 1) - i2]) {
                        throw new SignatureException("Digest of the content verify failed");
                    }
                }
                digest = messageDigest.digest(encodedSignedAttributes);
                ConsoleLogger.logBinary("Digest data of Signed Attributes", digest);
            }
            try {
                RSAPublicKeyStructure rSAPublicKeyStructure = RSAPublicKeyStructure.getInstance(x509CertificateHolder.getSubjectPublicKeyInfo().getPublicKey());
                byte[] byteArray = new BigInteger(signature).modPow(rSAPublicKeyStructure.getPublicExponent(), rSAPublicKeyStructure.getModulus()).toByteArray();
                ConsoleLogger.logBinary("decoded", byteArray);
                for (int i3 = 0; i3 < 20; i3++) {
                    if (digest[19 - i3] != byteArray[(byteArray.length - 1) - i3]) {
                        throw new SignatureException("Verify failed");
                    }
                }
            } catch (Throwable th) {
                ConsoleLogger.logException(th);
                throw new SignatureException(th.toString());
            }
        } catch (Exception e) {
            ConsoleLogger.logException(e);
            throw new CertificateException("Decode signingcert failed");
        }
    }
}
