package cfca.sadk.tls.kse;

import cfca.sadk.algorithm.sm2.SM2PrivateKey;
import cfca.sadk.org.bouncycastle.crypto.digests.SM3Digest;
import cfca.sadk.org.bouncycastle.jce.provider.BouncyCastleProvider;
import cfca.sadk.system.SecureRandoms;
import cfca.sadk.tls.sun.security.ssl.JSSEProvider;
import cfca.sadk.tls.sun.security.validator.GMCertificateException;
import cfca.sadk.tls.sun.security.validator.TLSValidator;
import cfca.sadk.tls.util.Args;
import cfca.sadk.tls.util.Loggings;
import cfca.sadk.util.Base64;
import cfca.sadk.util.CertUtil;
import cfca.sadk.util.KeyUtil;
import cfca.sadk.x509.certificate.X509Cert;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:cfca/sadk/tls/kse/KeystoreUtils.class */
public class KeystoreUtils {
    public static final KeystoreUtils INSTANCE = new KeystoreUtils();
    private final Provider provider = new BouncyCastleProvider();
    private final Provider jsse = JSSEProvider.INSTANCE;

    private KeystoreUtils() {
    }

    private Certificate certFrom(byte[] bArr) throws Exception {
        return CertificateFactory.getInstance("X.509", this.provider).generateCertificate(new ByteArrayInputStream(bArr));
    }

    private String hashImprint(byte[] bArr) {
        byte[] bArr2 = new byte[32];
        SM3Digest sM3Digest = new SM3Digest();
        if (bArr != null) {
            sM3Digest.update(bArr, 0, bArr.length);
        }
        sM3Digest.doFinal(bArr2, 0);
        return Base64.toBase64String(bArr2);
    }

    public SSLContext buildSSLContext(CertBean certBean) throws Exception {
        TrustManager[] buildTrustManager = buildTrustManager(certBean);
        KeyManager[] buildKeyManager = buildKeyManager(certBean);
        SSLContext sSLContext = SSLContext.getInstance("GMTLSv1.1", this.jsse);
        sSLContext.init(buildKeyManager, buildTrustManager, new SecureRandom());
        return sSLContext;
    }

    public SSLContext buildSSLContext(String str) throws Exception {
        return buildSSLContext(new CertBean(str));
    }

    public TrustManager[] buildTrustManager(CertBean certBean) throws Exception {
        TrustManagerFactory buildTrustManagerFactory = buildTrustManagerFactory(certBean);
        if (buildTrustManagerFactory == null) {
            return null;
        }
        return buildTrustManagerFactory.getTrustManagers();
    }

    public TrustManager[] buildTrustManager(String str) throws Exception {
        TrustManagerFactory buildTrustManagerFactory = buildTrustManagerFactory(str);
        if (buildTrustManagerFactory == null) {
            return null;
        }
        return buildTrustManagerFactory.getTrustManagers();
    }

    public TrustManager[] buildTrustManager(X509Cert[] x509CertArr) throws Exception {
        TrustManagerFactory buildTrustManagerFactory = buildTrustManagerFactory(x509CertArr);
        if (buildTrustManagerFactory == null) {
            return null;
        }
        return buildTrustManagerFactory.getTrustManagers();
    }

    public TrustManagerFactory buildTrustManagerFactory(CertBean certBean) throws Exception {
        if (certBean == null) {
            throw new Exception("certBean=null");
        }
        return buildTrustManagerFactory(certBean.getTrustsFilePath());
    }

    public TrustManagerFactory buildTrustManagerFactory(String str) throws Exception {
        X509Cert[] x509CertArr;
        File file = new File((String) Args.notEmpty(str, "certsFilePath"));
        if (!file.exists()) {
            throw new Exception("file not found certsFilePath=" + str);
        }
        if (!file.isFile()) {
            throw new Exception("not file certsFilePath=" + str);
        }
        String lowerCase = file.getName().toLowerCase();
        if (lowerCase.endsWith(".cer") || lowerCase.endsWith(".der")) {
            x509CertArr = new X509Cert[]{new X509Cert(str)};
        } else {
            if (!lowerCase.endsWith(".p7b")) {
                throw new Exception("do not support certsFilePath=" + str);
            }
            x509CertArr = CertUtil.parseP7B(str);
        }
        return buildTrustManagerFactory(x509CertArr);
    }

    public TrustManagerFactory buildTrustManagerFactory(X509Cert[] x509CertArr) throws Exception {
        if (x509CertArr == null || x509CertArr.length == 0) {
            throw new Exception("cacerts==null/length==0");
        }
        KeyStore keyStore = KeyStore.getInstance("BKS", this.provider);
        keyStore.load(null, null);
        for (int i = 0; i < x509CertArr.length; i++) {
            if (x509CertArr[i] != null) {
                byte[] encoded = x509CertArr[i].getEncoded();
                keyStore.setCertificateEntry(hashImprint(encoded), certFrom(encoded));
            }
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("GMTX509", this.jsse);
        trustManagerFactory.init(keyStore);
        return trustManagerFactory;
    }

    public KeyManager[] buildKeyManager(CertBean certBean) throws Exception {
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory(certBean);
        if (buildKeyManagerFactory == null) {
            return null;
        }
        return buildKeyManagerFactory.getKeyManagers();
    }

    public KeyManager[] buildKeyManager(String str, String str2, String str3, String str4) throws Exception {
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory(str, str2, str3, str4);
        if (buildKeyManagerFactory == null) {
            return null;
        }
        return buildKeyManagerFactory.getKeyManagers();
    }

    public KeyManager[] buildKeyManager(PrivateKey privateKey, X509Cert x509Cert, PrivateKey privateKey2, X509Cert x509Cert2) throws Exception {
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory(privateKey, x509Cert, privateKey2, x509Cert2);
        if (buildKeyManagerFactory == null) {
            return null;
        }
        return buildKeyManagerFactory.getKeyManagers();
    }

    public KeyManagerFactory buildKeyManagerFactory(CertBean certBean) throws Exception {
        if (certBean == null) {
            throw new Exception("certBean=null");
        }
        return buildKeyManagerFactory(certBean.getSigSM2FilePath(), certBean.getSigSM2FilePass(), certBean.getEncSM2FilePath(), certBean.getEncSM2FilePass());
    }

    public KeyManagerFactory buildKeyManagerFactory(String str, String str2, String str3, String str4) throws Exception {
        KeyManagerFactory keyManagerFactory = null;
        if (str != null) {
            if (str2 == null) {
                throw new Exception("scerPass==null");
            }
            if (str3 == null || str4 == null) {
                throw new Exception("ecerPath==null/ecerPass==null");
            }
            SM2PrivateKey privateKeyFromSM2 = KeyUtil.getPrivateKeyFromSM2(str, PasswordTool.restored(str2, "scerPass"));
            SM2PrivateKey privateKeyFromSM22 = KeyUtil.getPrivateKeyFromSM2(str3, PasswordTool.restored(str4, "ecerPass"));
            X509Cert certFromSM2 = CertUtil.getCertFromSM2(str);
            try {
                TLSValidator.validate(certFromSM2);
                X509Cert certFromSM22 = CertUtil.getCertFromSM2(str3);
                try {
                    TLSValidator.validate(certFromSM22);
                    keyManagerFactory = buildKeyManagerFactory((PrivateKey) privateKeyFromSM2, certFromSM2, (PrivateKey) privateKeyFromSM22, certFromSM22);
                } catch (GMCertificateException e) {
                    Loggings.ERROR.error("cipher cert check failed", e);
                    throw e;
                }
            } catch (GMCertificateException e2) {
                Loggings.ERROR.error("signer cert check failed", e2);
                throw e2;
            }
        }
        return keyManagerFactory;
    }

    public KeyManagerFactory buildKeyManagerFactory(PrivateKey privateKey, X509Cert x509Cert, PrivateKey privateKey2, X509Cert x509Cert2) throws Exception {
        if (privateKey == null || x509Cert == null) {
            throw new Exception("sm2Skey==null/sm2Scer==null");
        }
        if (privateKey2 == null || x509Cert2 == null) {
            throw new Exception("sm2Ekey==null/sm2Ecer==null");
        }
        char[] charArray = Base64.toBase64String(SecureRandoms.getInstance().genBytes(12)).toCharArray();
        KeyFactory keyFactory = KeyFactory.getInstance("SM2", this.provider);
        PrivateKey generatePrivate = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privateKey.getEncoded()));
        PrivateKey generatePrivate2 = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privateKey2.getEncoded()));
        byte[] encoding = x509Cert.getEncoding();
        byte[] encoding2 = x509Cert2.getEncoding();
        String format = String.format("GMSSLSN%s-%s@signer", x509Cert.getStringSerialNumber(), hashImprint(encoding));
        String format2 = String.format("GMSSLSN%s-%s@cipher", x509Cert2.getStringSerialNumber(), hashImprint(encoding2));
        Certificate[] certificateArr = {certFrom(encoding)};
        Certificate[] certificateArr2 = {certFrom(encoding2)};
        KeyStore keyStore = KeyStore.getInstance("BKS", this.provider);
        keyStore.load(null, null);
        keyStore.setKeyEntry(format, generatePrivate, charArray, certificateArr);
        keyStore.setKeyEntry(format2, generatePrivate2, charArray, certificateArr2);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("GMTX509", this.jsse);
        keyManagerFactory.init(keyStore, charArray);
        return keyManagerFactory;
    }
}
