package kd.ebg.aqap.banks.pab.opa.sign.sign.signcfca;

import com.cfca.util.pki.PKIException;
import com.cfca.util.pki.api.CertUtil;
import com.cfca.util.pki.api.SignatureUtil;
import com.cfca.util.pki.cert.X509Cert;
import com.cfca.util.pki.cipher.Session;
import com.cfca.util.pki.crl.X509CRL;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import kd.bos.dataentity.resource.ResManager;
import kd.ebg.egf.common.log.EBGLogger;

/* loaded from: input_file:kd/ebg/aqap/banks/pab/opa/sign/sign/signcfca/CertDNVerifer.class */
public class CertDNVerifer {
    private static final EBGLogger log = EBGLogger.getInstance().getLogger(CertDNVerifer.class);
    private Session session;
    private boolean checkCert = true;
    private Set<String> dns;
    private X509Cert[] caCerts;
    private X509CRL crl;

    public CertDNVerifer(Session session) {
        this.session = session;
    }

    public boolean verifyMsg(byte[] bArr, byte[] bArr2, X509Cert x509Cert, boolean z) throws Exception {
        X509Cert x509Cert2;
        SignatureUtil signatureUtil = new SignatureUtil();
        if (z) {
            if (!signatureUtil.p7VerifySignMessageDetached(bArr, bArr2, this.session)) {
                log.error("签名不正确");
                return false;
            }
            x509Cert2 = signatureUtil.getSigerCert()[0];
        } else {
            if (!signatureUtil.p1VerifySignMessage(bArr, bArr2, "SHA1withRSAEncryption", x509Cert, this.session)) {
                log.error("签名不正确");
                return false;
            }
            x509Cert2 = x509Cert;
        }
        log.info("签名者=" + x509Cert2.getSubject());
        if (!this.checkCert) {
            return true;
        }
        String cn = getCN(x509Cert2.getSubject());
        if (!this.dns.contains(cn)) {
            log.error("未授权的签名证书DN:[" + cn + "]");
            return false;
        }
        if (this.caCerts == null) {
            log.error("未设置证书链");
            return false;
        }
        try {
            if (!CertUtil.verifyCertSign(x509Cert2, this.caCerts, this.session)) {
                log.error("签名证书不合法");
                return false;
            }
            if (this.crl == null || !this.crl.isRevoke(x509Cert2)) {
                return true;
            }
            log.error("证书已经吊销");
            return false;
        } catch (PKIException e) {
            log.error("验签名失败：" + e.getMessage());
            return false;
        }
    }

    private String getCN(String str) throws Exception {
        int indexOf = str.toUpperCase(Locale.ENGLISH).indexOf("CN=");
        if (indexOf == -1) {
            log.error("证书主题格式非法：" + str);
            throw new Exception(String.format(ResManager.loadKDString("证书主题格式非法：%s。", "CertDNVerifer_1", "ebg-aqap-banks-pab-opa", new Object[0]), str));
        }
        int indexOf2 = str.indexOf(",", indexOf);
        if (indexOf2 == -1) {
            indexOf2 = str.length();
        }
        StringBuilder sb = new StringBuilder((indexOf2 - indexOf) - 3);
        for (int i = indexOf + 3; i < indexOf2; i++) {
            if (!Character.isWhitespace(str.charAt(i))) {
                sb.append(str.charAt(i));
            }
        }
        return sb.toString().toUpperCase(Locale.ENGLISH);
    }

    public Set<String> getDns() {
        return this.dns;
    }

    public void setDns(Set<String> set) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            try {
                hashSet.add(getCN(it.next()));
            } catch (Exception e) {
                log.error(e.toString());
            }
        }
        this.dns = hashSet;
    }

    public boolean isCheckCert() {
        return this.checkCert;
    }

    public void setCheckCert(boolean z) {
        this.checkCert = z;
    }

    public X509Cert[] getCaCerts() {
        return this.caCerts;
    }

    public void setCaCerts(X509Cert[] x509CertArr) {
        this.caCerts = x509CertArr;
    }

    public X509CRL getCrl() {
        return this.crl;
    }

    public void setCrl(X509CRL x509crl) {
        this.crl = x509crl;
    }
}
