package com.unionpay.uas.sdk;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FilenameFilter;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.io.FileUtils;
import org.apache.log4j.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:com/unionpay/uas/sdk/CertUtil.class */
public class CertUtil {
    private static final Logger logger = Logger.getLogger(CertUtil.class);
    private static X509Certificate middleCert = null;
    private static X509Certificate rootCert = null;
    private static PublicKey encryptTrackKey = null;
    private static final Map<String, Cert> signCerts = new ConcurrentHashMap();
    private static Map<String, PublicKey> verifyCerts = new ConcurrentHashMap();
    private static Cert encryptCert = null;
    private static Map<String, PublicKey> verifyCerts510 = new ConcurrentHashMap();
    private static Cert pinEncryptCert = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/unionpay/uas/sdk/CertUtil$CerFilter.class */
    public static class CerFilter implements FilenameFilter {
        CerFilter() {
        }

        public boolean isCer(String str) {
            return str.toLowerCase().endsWith(".cer");
        }

        @Override // java.io.FilenameFilter
        public boolean accept(File file, String str) {
            return isCer(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/unionpay/uas/sdk/CertUtil$Cert.class */
    public static class Cert {
        protected String certId;
        protected PublicKey pubKey;
        protected PrivateKey priKey;

        protected Cert() {
        }
    }

    public static void init() {
        try {
            initSignCert();
            initValidateCertFromDir();
            initEncryptCert();
        } catch (Exception e) {
            logger.error("init失败。", e);
        }
    }

    public static void addProvider() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        } else {
            Security.removeProvider("BC");
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    private static Cert addSignCert(String str, String str2) {
        if (SDKUtil.isEmpty(str) || SDKUtil.isEmpty(str2)) {
            logger.warn("签名证书路径或证书密码为空。 停止加载签名私钥证书。");
            return null;
        }
        logger.info("加载签名私钥证书==>" + str);
        FileInputStream fileInputStream = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
                fileInputStream = new FileInputStream(str);
                char[] charArray = (null == str2 || SDKConstants.BLANK.equals(str2.trim())) ? null : str2.toCharArray();
                if (null != keyStore) {
                    keyStore.load(fileInputStream, charArray);
                }
                Enumeration<String> aliases = keyStore.aliases();
                String str3 = null;
                if (aliases.hasMoreElements()) {
                    str3 = aliases.nextElement();
                }
                X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(str3);
                Cert cert = new Cert();
                cert.certId = x509Certificate.getSerialNumber().toString(10);
                cert.priKey = (PrivateKey) keyStore.getKey(str3, str2.toCharArray());
                cert.pubKey = x509Certificate.getPublicKey();
                signCerts.put(str, cert);
                if (null != fileInputStream) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                        e.printStackTrace();
                    }
                }
                return cert;
            } catch (Exception e2) {
                logger.error("addSignCert Error", e2);
                if (null == fileInputStream) {
                    return null;
                }
                try {
                    fileInputStream.close();
                    return null;
                } catch (IOException e3) {
                    e3.printStackTrace();
                    return null;
                }
            }
        } catch (Throwable th) {
            if (null != fileInputStream) {
                try {
                    fileInputStream.close();
                } catch (IOException e4) {
                    e4.printStackTrace();
                }
            }
            throw th;
        }
    }

    public static X509Certificate readX509Cert(String str) {
        X509Certificate x509Certificate = null;
        FileInputStream fileInputStream = null;
        try {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
                fileInputStream = new FileInputStream(str);
                x509Certificate = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
                if (null != fileInputStream) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                    }
                }
            } catch (Throwable th) {
                if (null != fileInputStream) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e2) {
                    }
                }
                throw th;
            }
        } catch (FileNotFoundException e3) {
            logger.error("readX509Cert Error File Not Found: " + str, e3);
            if (null != fileInputStream) {
                try {
                    fileInputStream.close();
                } catch (IOException e4) {
                }
            }
        } catch (Exception e5) {
            logger.error("readX509Cert Error", e5);
            if (null != fileInputStream) {
                try {
                    fileInputStream.close();
                } catch (IOException e6) {
                }
            }
        }
        return x509Certificate;
    }

    private static void initSignCert() {
        signCerts.clear();
        String signCertPath = SDKConfig.getConfig().getSignCertPath();
        String signCertPwd = SDKConfig.getConfig().getSignCertPwd();
        if (SDKUtil.isEmpty(signCertPath) || SDKUtil.isEmpty(signCertPwd)) {
            logger.warn("uassdk.signCert.path or uassdk.signCert.pwd is empty");
        } else {
            logger.info("读取配置文件默认签名证书==>" + signCertPath + (addSignCert(signCertPath, signCertPwd) != null ? "成功" : "失败"));
        }
    }

    private static void initMiddleCert() {
        String middleCertPath = SDKConfig.getConfig().getMiddleCertPath();
        if (SDKUtil.isEmpty(middleCertPath)) {
            logger.warn("uassdk.middleCert.path is empty");
        } else {
            middleCert = readX509Cert(middleCertPath);
            logger.info("加载中级证书==>" + middleCertPath + (middleCert != null ? "成功" : "失败"));
        }
    }

    private static void initRootCert() {
        String rootCertPath = SDKConfig.getConfig().getRootCertPath();
        if (SDKUtil.isEmpty(rootCertPath)) {
            logger.warn("uassdk.rootCert.path is empty");
        } else {
            rootCert = readX509Cert(rootCertPath);
            logger.info("加载根证书==>" + rootCertPath + (rootCert != null ? "成功" : "失败"));
        }
    }

    private static void initValidateCertFromDir() {
        verifyCerts.clear();
        String validateCertDir = SDKConfig.getConfig().getValidateCertDir();
        if (SDKUtil.isEmpty(validateCertDir)) {
            logger.error("WARN: uassdk.validateCert.dir is empty");
            return;
        }
        logger.info("加载验证签名证书目录==>" + validateCertDir);
        for (File file : new File(validateCertDir).listFiles(new CerFilter())) {
            try {
                X509Certificate readX509Cert = readX509Cert(file.getAbsolutePath());
                if (readX509Cert != null) {
                    String bigInteger = readX509Cert.getSerialNumber().toString(10);
                    verifyCerts.put(bigInteger, readX509Cert.getPublicKey());
                    logger.info("[" + file.getAbsolutePath() + "][CertId=" + bigInteger + "]");
                }
            } catch (Exception e) {
                logger.error("Load verify cert error, " + file.getAbsolutePath(), e);
            }
        }
    }

    private static void initEncryptCert() {
        String encryptCertPath = SDKConfig.getConfig().getEncryptCertPath();
        if (SDKUtil.isEmpty(encryptCertPath)) {
            logger.warn("uassdk.encryptCert.path is empty");
            return;
        }
        X509Certificate readX509Cert = readX509Cert(encryptCertPath);
        logger.info("加载敏感信息加密证书==>" + encryptCertPath + (readX509Cert != null ? "成功" : "失败") + "\n");
        if (readX509Cert != null) {
            Cert cert = new Cert();
            cert.certId = readX509Cert.getSerialNumber().toString(10);
            cert.pubKey = readX509Cert.getPublicKey();
            encryptCert = cert;
        }
    }

    private static void initPinEncryptCert() {
        String pinEncryptCertPath = SDKConfig.getConfig().getPinEncryptCertPath();
        if (SDKUtil.isEmpty(pinEncryptCertPath)) {
            logger.warn("uassdk.pinEncryptCert.path is empty");
            return;
        }
        X509Certificate readX509Cert = readX509Cert(pinEncryptCertPath);
        logger.info("加载6.0统一支付产品pin加密证书==>" + pinEncryptCertPath + (readX509Cert != null ? "成功" : "失败"));
        if (readX509Cert != null) {
            Cert cert = new Cert();
            cert.certId = readX509Cert.getSerialNumber().toString(10);
            cert.pubKey = readX509Cert.getPublicKey();
            pinEncryptCert = cert;
        }
    }

    private static Cert getSignCert() {
        String signCertPath = SDKConfig.getConfig().getSignCertPath();
        String signCertPwd = SDKConfig.getConfig().getSignCertPwd();
        if (!SDKUtil.isEmpty(signCertPath) && !SDKUtil.isEmpty(signCertPwd)) {
            return getSignCert(signCertPath, signCertPwd);
        }
        logger.error("未配置默认签名证书时无法调用此方法。");
        return null;
    }

    private static Cert getSignCert(String str, String str2) {
        if (SDKUtil.isEmpty(str) || SDKUtil.isEmpty(str2)) {
            logger.error("传入的签名路径或密码为空。");
            return null;
        }
        if (!signCerts.containsKey(str)) {
            addSignCert(str, str2);
        }
        Cert cert = signCerts.get(str);
        if (cert != null) {
            return cert;
        }
        logger.error("未成功获取签名证书。");
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Cert getEncryptCert() {
        if (encryptCert == null) {
            initEncryptCert();
        }
        return encryptCert;
    }

    protected static Cert getPinEncryptCert() {
        if (pinEncryptCert == null) {
            initPinEncryptCert();
        }
        return pinEncryptCert;
    }

    public static int resetEncryptCertPublicKey(String str) {
        if (SDKUtil.isEmpty(str)) {
            logger.error("传入证书信息为空。");
            return -1;
        }
        if (getEncryptCert().certId.equals(genCertificateByStr(str).getSerialNumber().toString(10))) {
            logger.info("返回证书和原证书一样，不用更新。");
            return 0;
        }
        String encryptCertPath = SDKConfig.getConfig().getEncryptCertPath();
        if (SDKUtil.isEmpty(encryptCertPath)) {
            logger.error("未配置加密证书路径，无法执行此方法。");
            return -1;
        }
        File file = new File(encryptCertPath);
        if (file.exists()) {
            int lastIndexOf = encryptCertPath.lastIndexOf(SDKConstants.POINT);
            try {
                FileUtils.copyFile(file, new File(encryptCertPath.substring(0, lastIndexOf) + "_backup" + SDKConstants.POINT + encryptCertPath.substring(lastIndexOf + 1)));
                logger.info("原加密证书备份成功。");
            } catch (IOException e) {
                logger.error("原加密证书备份失败，停止改证书。", e);
                return -1;
            }
        } else {
            logger.warn("原加密证书不存在：" + encryptCertPath);
        }
        try {
            FileUtils.writeByteArrayToFile(file, str.getBytes(), false);
            logger.info("加密证书更新成功。");
            initEncryptCert();
            return 1;
        } catch (IOException e2) {
            logger.error("加密证书更新失败。", e2);
            return -1;
        }
    }

    public static int resetPinEncryptCertPublicKey(String str) {
        if (SDKUtil.isEmpty(str)) {
            logger.error("传入证书信息为空。");
            return -1;
        }
        if (getPinEncryptCert().certId.equals(genCertificateByStr(str).getSerialNumber().toString(10))) {
            logger.info("返回证书和原证书一样，不用更新。");
            return 0;
        }
        String pinEncryptCertPath = SDKConfig.getConfig().getPinEncryptCertPath();
        if (SDKUtil.isEmpty(pinEncryptCertPath)) {
            logger.error("未配置加密证书路径，无法执行此方法。");
            return -1;
        }
        File file = new File(pinEncryptCertPath);
        if (file.exists()) {
            int lastIndexOf = pinEncryptCertPath.lastIndexOf(SDKConstants.POINT);
            try {
                FileUtils.copyFile(file, new File(pinEncryptCertPath.substring(0, lastIndexOf) + "_backup" + SDKConstants.POINT + pinEncryptCertPath.substring(lastIndexOf + 1)));
                logger.info("原加密证书备份成功。");
            } catch (IOException e) {
                logger.error("原加密证书备份失败，停止改证书。", e);
                return -1;
            }
        } else {
            logger.warn("原加密证书不存在：" + pinEncryptCertPath);
        }
        try {
            FileUtils.writeByteArrayToFile(file, str.getBytes(), false);
            logger.info("加密证书更新成功。");
            initPinEncryptCert();
            return 1;
        } catch (IOException e2) {
            logger.error("加密证书更新失败。", e2);
            return -1;
        }
    }

    public static PublicKey getValidatePublicKey(String str) {
        if (str == null) {
            logger.error("没有传入certId.");
            return null;
        }
        if (!verifyCerts.containsKey(str)) {
            initValidateCertFromDir();
        }
        PublicKey publicKey = verifyCerts.get(str);
        if (publicKey != null) {
            return publicKey;
        }
        logger.error("缺少certId=[" + str + "]对应的验签证书.");
        return null;
    }

    public static String getSignCertId() {
        Cert signCert = getSignCert();
        if (signCert == null) {
            return null;
        }
        return signCert.certId;
    }

    public static PrivateKey getSignCertPrivateKey() {
        Cert signCert = getSignCert();
        if (signCert == null) {
            return null;
        }
        return signCert.priKey;
    }

    public static String getCertIdByKeyStoreMap(String str, String str2) {
        Cert signCert = getSignCert(str, str2);
        if (signCert == null) {
            return null;
        }
        return signCert.certId;
    }

    public static PrivateKey getSignCertPrivateKeyByStoreMap(String str, String str2) {
        Cert signCert = getSignCert(str, str2);
        if (signCert == null) {
            return null;
        }
        return signCert.priKey;
    }

    private static PublicKey getPublicKey(String str, String str2) {
        try {
            return KeyFactory.getInstance("RSA", "BC").generatePublic(new RSAPublicKeySpec(new BigInteger(str), new BigInteger(str2)));
        } catch (Exception e) {
            logger.error("构造RSA公钥失败：" + e);
            return null;
        }
    }

    public static X509Certificate genCertificateByStr(String str) {
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(str.getBytes("ISO-8859-1")));
        } catch (Exception e) {
            logger.error("gen certificate error", e);
        }
        return x509Certificate;
    }

    private static X509Certificate getMiddleCert() {
        if (SDKUtil.isEmpty(SDKConfig.getConfig().getMiddleCertPath())) {
            logger.error("未配置中级证书时无法调用此方法。");
            return null;
        }
        if (middleCert == null) {
            initMiddleCert();
        }
        return middleCert;
    }

    private static X509Certificate getRootCert() {
        if (SDKUtil.isEmpty(SDKConfig.getConfig().getRootCertPath())) {
            logger.error("未配置根证书时无法调用此方法。");
            return null;
        }
        if (rootCert == null) {
            initRootCert();
        }
        return rootCert;
    }

    public static String getIdentitiesFromCertficate(X509Certificate x509Certificate) {
        String[] split;
        String principal = x509Certificate.getSubjectDN().toString();
        String str = SDKConstants.BLANK;
        if (principal != null && (split = principal.substring(principal.indexOf("CN=")).split(SDKConstants.MAIL)) != null && split.length > 2 && split[2] != null) {
            str = split[2];
        }
        return str;
    }

    public static boolean verifyCertificateChain(X509Certificate x509Certificate, X509Certificate x509Certificate2, X509Certificate x509Certificate3) {
        if (null == x509Certificate) {
            logger.error("cert must Not null");
            return false;
        }
        if (null == x509Certificate2) {
            logger.error("middleCert must Not null");
            return false;
        }
        if (null == x509Certificate3) {
            logger.error("rootCert or cert must Not null");
            return false;
        }
        try {
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            HashSet hashSet = new HashSet();
            hashSet.add(new TrustAnchor(x509Certificate3, null));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            HashSet hashSet2 = new HashSet();
            hashSet2.add(x509Certificate3);
            hashSet2.add(x509Certificate2);
            hashSet2.add(x509Certificate);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(hashSet2), "BC"));
            logger.info("verify certificate chain succeed.");
            return true;
        } catch (CertPathBuilderException e) {
            logger.error("verify certificate chain fail.", e);
            return false;
        } catch (Exception e2) {
            logger.error("verify certificate chain exception: ", e2);
            return false;
        }
    }

    public static PublicKey verifyAndGetVerifyPubKey(String str) {
        if (SDKUtil.isEmpty(str)) {
            logger.error("验签公钥证书传了空。");
            return null;
        }
        if (verifyCerts510.containsKey(str)) {
            return verifyCerts510.get(str);
        }
        logger.debug("验签公钥证书：[" + str + "]");
        X509Certificate genCertificateByStr = genCertificateByStr(str);
        if (genCertificateByStr == null) {
            logger.error("convert signPubKeyCert failed");
            return null;
        }
        if (!verifyCertificate(genCertificateByStr)) {
            logger.error("验证公钥证书失败，证书信息：[" + str + "]");
            return null;
        }
        logger.info("验证公钥验证成功：[" + genCertificateByStr.getSerialNumber().toString(10) + "]");
        PublicKey publicKey = genCertificateByStr.getPublicKey();
        verifyCerts510.put(str, publicKey);
        return publicKey;
    }

    private static boolean verifyCertificate(X509Certificate x509Certificate) {
        if (null == x509Certificate) {
            logger.error("cert must Not null");
            return false;
        }
        try {
            x509Certificate.checkValidity();
            if (!verifyCertificateChain(x509Certificate, getMiddleCert(), getRootCert())) {
                return false;
            }
            if (SDKConfig.getConfig().isIfValidateCNName()) {
                if (SDKConstants.UNIONPAY_CNNAME.equals(getIdentitiesFromCertficate(x509Certificate))) {
                    return true;
                }
                logger.error("cer owner is not CUP:" + getIdentitiesFromCertficate(x509Certificate));
                return false;
            }
            if (SDKConstants.UNIONPAY_CNNAME.equals(getIdentitiesFromCertficate(x509Certificate)) || "00040000:SIGN".equals(getIdentitiesFromCertficate(x509Certificate))) {
                return true;
            }
            logger.error("cer owner is not CUP:" + getIdentitiesFromCertficate(x509Certificate));
            return false;
        } catch (Exception e) {
            logger.error("verifyCertificate fail", e);
            return false;
        }
    }

    private static void printSysInfo() {
        logger.info("================= SYS INFO begin====================");
        logger.info("os_name:" + System.getProperty("os.name"));
        logger.info("os_arch:" + System.getProperty("os.arch"));
        logger.info("os_version:" + System.getProperty("os.version"));
        logger.info("java_vm_specification_version:" + System.getProperty("java.vm.specification.version"));
        logger.info("java_vm_specification_vendor:" + System.getProperty("java.vm.specification.vendor"));
        logger.info("java_vm_specification_name:" + System.getProperty("java.vm.specification.name"));
        logger.info("java_vm_version:" + System.getProperty("java.vm.version"));
        logger.info("java_vm_name:" + System.getProperty("java.vm.name"));
        logger.info("java.version:" + System.getProperty("java.version"));
        logger.info("java.vm.vendor=[" + System.getProperty("java.vm.vendor") + "]");
        logger.info("java.version=[" + System.getProperty("java.version") + "]");
        printProviders();
        logger.info("================= SYS INFO end=====================");
    }

    private static void printProviders() {
        logger.info("Providers List:");
        Provider[] providers = Security.getProviders();
        for (int i = 0; i < providers.length; i++) {
            logger.info((i + 1) + SDKConstants.POINT + providers[i].getName());
        }
    }

    public static Collection<PublicKey> getVerifySignPubKeys() {
        return verifyCerts.values();
    }

    static {
        addProvider();
        init();
    }
}
