package com.alipay.api.internal.util;

import cn.hutool.crypto.KeyUtil;
import com.alipay.api.AlipayApiException;
import com.alipay.api.AlipayConstants;
import com.alipay.api.internal.util.codec.Base64;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:BOOT-INF/lib/alipay-sdk-java-4.34.43.ALL.jar:com/alipay/api/internal/util/AntCertificationUtil.class */
public class AntCertificationUtil {
    private static BouncyCastleProvider provider = new BouncyCastleProvider();

    public static boolean isTrusted(String str, String str2) {
        try {
            X509Certificate[] readPemCertChain = readPemCertChain(str);
            ArrayList arrayList = new ArrayList();
            try {
                for (X509Certificate x509Certificate : readPemCertChain(str2)) {
                    arrayList.add(x509Certificate);
                }
                return verifyCertChain(readPemCertChain, (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]));
            } catch (Exception e) {
                AlipayLogger.logBizError("读取根证书失败");
                throw new RuntimeException(e);
            }
        } catch (Exception e2) {
            AlipayLogger.logBizError("读取证书失败");
            throw new RuntimeException(e2);
        }
    }

    private static boolean verifyCert(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        try {
            x509Certificate.checkValidity();
            HashMap hashMap = new HashMap();
            for (X509Certificate x509Certificate2 : x509CertificateArr) {
                hashMap.put(x509Certificate2.getSubjectDN(), x509Certificate2);
            }
            X509Certificate x509Certificate3 = (X509Certificate) hashMap.get(x509Certificate.getIssuerDN());
            if (x509Certificate3 == null) {
                AlipayLogger.logBizError("证书链验证失败");
                return false;
            }
            try {
                verifySignature(x509Certificate3.getPublicKey(), x509Certificate);
                return true;
            } catch (Exception e) {
                AlipayLogger.logBizError("证书链验证失败");
                return false;
            }
        } catch (CertificateExpiredException e2) {
            AlipayLogger.logBizError("证书已经过期");
            return false;
        } catch (CertificateNotYetValidException e3) {
            AlipayLogger.logBizError("证书未激活");
            return false;
        }
    }

    private static boolean verifyCertChain(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        if (!sortByDn(x509CertificateArr)) {
            AlipayLogger.logBizError("证书链验证失败：不是完整的证书链");
            return false;
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        boolean verifyCert = verifyCert(x509Certificate, x509CertificateArr2);
        if (!verifyCert || x509CertificateArr.length == 1) {
            return verifyCert;
        }
        for (int i = 1; i < x509CertificateArr.length; i++) {
            try {
                X509Certificate x509Certificate2 = x509CertificateArr[i];
                try {
                    x509Certificate2.checkValidity();
                    verifySignature(x509Certificate.getPublicKey(), x509Certificate2);
                    x509Certificate = x509Certificate2;
                } catch (CertificateExpiredException e) {
                    AlipayLogger.logBizError("证书已经过期");
                    return false;
                } catch (CertificateNotYetValidException e2) {
                    AlipayLogger.logBizError("证书未激活");
                    return false;
                }
            } catch (Exception e3) {
                AlipayLogger.logBizError("证书链验证失败");
                return false;
            }
        }
        return true;
    }

    private static void verifySignature(PublicKey publicKey, X509Certificate x509Certificate) throws NoSuchProviderException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        x509Certificate.verify(publicKey, provider.getName());
    }

    private static boolean sortByDn(X509Certificate[] x509CertificateArr) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        boolean z = false;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (isSelfSigned(x509Certificate)) {
                if (z) {
                    return false;
                }
                z = true;
            }
            Principal subjectDN = x509Certificate.getSubjectDN();
            Principal issuerDN = x509Certificate.getIssuerDN();
            hashMap.put(subjectDN, x509Certificate);
            hashMap2.put(issuerDN, x509Certificate);
        }
        ArrayList arrayList = new ArrayList();
        X509Certificate x509Certificate2 = x509CertificateArr[0];
        addressingUp(hashMap, arrayList, x509Certificate2);
        addressingDown(hashMap2, arrayList, x509Certificate2);
        if (x509CertificateArr.length != arrayList.size()) {
            return false;
        }
        for (int i = 0; i < arrayList.size(); i++) {
            x509CertificateArr[i] = (X509Certificate) arrayList.get(i);
        }
        return true;
    }

    private static boolean isSelfSigned(X509Certificate x509Certificate) {
        return x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN());
    }

    private static void addressingUp(Map<Principal, X509Certificate> map, List<X509Certificate> list, X509Certificate x509Certificate) {
        X509Certificate x509Certificate2;
        list.add(0, x509Certificate);
        if (isSelfSigned(x509Certificate) || (x509Certificate2 = map.get(x509Certificate.getIssuerDN())) == null) {
            return;
        }
        addressingUp(map, list, x509Certificate2);
    }

    private static void addressingDown(Map<Principal, X509Certificate> map, List<X509Certificate> list, X509Certificate x509Certificate) {
        X509Certificate x509Certificate2 = map.get(x509Certificate.getSubjectDN());
        if (x509Certificate2 == null || isSelfSigned(x509Certificate2)) {
            return;
        }
        list.add(x509Certificate2);
        addressingDown(map, list, x509Certificate2);
    }

    private static X509Certificate[] readPemCertChain(String str) throws CertificateException {
        Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance(KeyUtil.X509, provider).generateCertificates(new ByteArrayInputStream(str.getBytes()));
        return (X509Certificate[]) generateCertificates.toArray(new X509Certificate[generateCertificates.size()]);
    }

    public static String getRootCertSN(String str) {
        String str2 = null;
        try {
            X509Certificate[] readPemCertChain = readPemCertChain(str);
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5);
            for (X509Certificate x509Certificate : readPemCertChain) {
                if (x509Certificate.getSigAlgOID().startsWith("1.2.840.113549.1.1")) {
                    messageDigest.update((x509Certificate.getIssuerX500Principal().getName() + x509Certificate.getSerialNumber()).getBytes());
                    String fillMD5 = fillMD5(new BigInteger(1, messageDigest.digest()).toString(16));
                    str2 = StringUtils.isEmpty(str2) ? fillMD5 : str2 + "_" + fillMD5;
                }
            }
        } catch (Exception e) {
            AlipayLogger.logBizError("提取根证书失败");
        }
        return str2;
    }

    public static String getRootCertSN(String str, String str2) {
        if (!AlipayConstants.SIGN_TYPE_SM2.equals(str2)) {
            return getRootCertSN(str);
        }
        String str3 = null;
        try {
            X509Certificate[] readPemCertChain = readPemCertChain(str);
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5);
            for (X509Certificate x509Certificate : readPemCertChain) {
                if (x509Certificate.getSigAlgOID().startsWith("1.2.156.10197.1.501")) {
                    messageDigest.update((x509Certificate.getIssuerX500Principal().getName() + x509Certificate.getSerialNumber()).getBytes());
                    String fillMD5 = fillMD5(new BigInteger(1, messageDigest.digest()).toString(16));
                    str3 = StringUtils.isEmpty(str3) ? fillMD5 : str3 + "_" + fillMD5;
                }
            }
        } catch (Exception e) {
            AlipayLogger.logBizError("提取根证书失败");
        }
        return str3;
    }

    private static String fillMD5(String str) {
        return str.length() == 32 ? str : fillMD5("0" + str);
    }

    public static X509Certificate getCertFromPath(String str) throws AlipayApiException {
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(str);
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(KeyUtil.X509, BouncyCastleProvider.PROVIDER_NAME).generateCertificate(fileInputStream);
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                        throw new AlipayApiException(e);
                    }
                }
                return x509Certificate;
            } catch (Exception e2) {
                throw new AlipayApiException(e2);
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e3) {
                    throw new AlipayApiException(e3);
                }
            }
            throw th;
        }
    }

    public static X509Certificate getCertFromContent(String str) throws AlipayApiException {
        try {
            return (X509Certificate) CertificateFactory.getInstance(KeyUtil.X509, BouncyCastleProvider.PROVIDER_NAME).generateCertificate(new ByteArrayInputStream(str.getBytes()));
        } catch (Exception e) {
            throw new AlipayApiException(e);
        }
    }

    public static String getCertSN(X509Certificate x509Certificate) throws AlipayApiException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5);
            messageDigest.update((x509Certificate.getIssuerX500Principal().getName() + x509Certificate.getSerialNumber()).getBytes());
            return fillMD5(new BigInteger(1, messageDigest.digest()).toString(16));
        } catch (NoSuchAlgorithmException e) {
            throw new AlipayApiException(e);
        }
    }

    public static String getAlipayPublicKey(String str) throws AlipayApiException {
        FileInputStream fileInputStream = null;
        try {
            try {
                try {
                    fileInputStream = new FileInputStream(str);
                    String encodeBase64String = Base64.encodeBase64String(((X509Certificate) CertificateFactory.getInstance(KeyUtil.X509, BouncyCastleProvider.PROVIDER_NAME).generateCertificate(fileInputStream)).getPublicKey().getEncoded());
                    if (fileInputStream != null) {
                        try {
                            fileInputStream.close();
                        } catch (IOException e) {
                            throw new AlipayApiException(e);
                        }
                    }
                    return encodeBase64String;
                } catch (IOException e2) {
                    throw new AlipayApiException(e2);
                }
            } catch (NoSuchProviderException e3) {
                throw new AlipayApiException(e3);
            } catch (CertificateException e4) {
                throw new AlipayApiException(e4);
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e5) {
                    throw new AlipayApiException(e5);
                }
            }
            throw th;
        }
    }

    static {
        Security.addProvider(provider);
    }
}
