package com.mindspore.flclient.cipher;

import com.mindspore.flclient.FLParameter;
import com.mindspore.flclient.common.FLLoggerGenerater;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CRL;
import java.security.cert.CRLException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Logger;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:com/mindspore/flclient/cipher/CertVerify.class */
public class CertVerify {
    private static final Logger LOGGER = FLLoggerGenerater.getModelLogger(CertVerify.class.toString());

    public static boolean verifyCertificateChain(String str, X509Certificate[] x509CertificateArr) {
        if (str == null || str.isEmpty()) {
            LOGGER.severe("[CertVerify] the parameter clientID is null or empty, please check!");
            return false;
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 2) {
            LOGGER.severe("[CertVerify] the parameter x509Certificates is null or the length is not valid: < 2, please check!");
            return false;
        }
        if (verifyChain(str, x509CertificateArr) && verifyCommonName(str, x509CertificateArr) && verifyCrl(str, x509CertificateArr) && verifyValidDate(x509CertificateArr) && verifyKeyIdentifier(str, x509CertificateArr)) {
            LOGGER.info("[CertVerify] verifyCertificateChain success!");
            return true;
        }
        LOGGER.severe("[CertVerify] verifyCertificateChain failed!");
        return false;
    }

    private static boolean verifyCommonName(String str, X509Certificate[] x509CertificateArr) {
        if (str == null || str.isEmpty()) {
            LOGGER.severe("[CertVerify] the parameter clientID is null or empty, please check!");
            return false;
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 2) {
            LOGGER.severe("[CertVerify] x509Certificate chains is null or the length is not valid: < 2, please check!");
            return false;
        }
        X509Certificate[] x509CertificateChain = getX509CertificateChain(str);
        if (x509CertificateChain != null && x509CertificateChain.length >= 4) {
            return x509CertificateChain[2].getSubjectDN().getName().equals(x509CertificateArr[1].getIssuerDN().getName());
        }
        LOGGER.severe("[CertVerify] certificateChains is null or the length is not valid: < 4, please check!");
        return false;
    }

    private static boolean verifyChain(String str, X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length < 2) {
            LOGGER.severe("[CertVerify] certificateChains is null or the length is not valid: < 2, please check!");
            return false;
        }
        try {
            X509Certificate[] x509CertificateChain = getX509CertificateChain(str);
            if (x509CertificateChain == null || x509CertificateChain.length < 3) {
                LOGGER.severe("[CertVerify] certificateChains is null or the length is not valid: < 3, please check!");
                return false;
            }
            x509CertificateArr[1].verify(x509CertificateChain[2].getPublicKey());
            X509Certificate x509Certificate = x509CertificateArr[1];
            X509Certificate x509Certificate2 = x509CertificateArr[0];
            try {
                x509Certificate.checkValidity();
                x509Certificate2.checkValidity();
                try {
                    x509Certificate2.verify(x509Certificate.getPublicKey());
                    LOGGER.info("verifyChain success!");
                    return true;
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                    LOGGER.severe("verifyChain failed!");
                    LOGGER.severe("[verifyChain] catch Exception: " + e.getMessage());
                    return false;
                }
            } catch (CertificateExpiredException | CertificateNotYetValidException e2) {
                e2.printStackTrace();
                return false;
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e3) {
            LOGGER.severe("[CertVerify] catch Exception: " + e3.getMessage());
            return false;
        }
    }

    public static X509Certificate[] getX509CertificateChain(String str) {
        KeyStore.Entry entry;
        Certificate[] certificateChain;
        if (str == null || str.isEmpty()) {
            LOGGER.severe("[CertVerify] the parameter clientID is null or empty, please check!");
            return null;
        }
        X509Certificate[] x509CertificateArr = null;
        try {
            KeyStore keyStore = KeyStore.getInstance("HwKeyStore");
            keyStore.load(null);
            entry = keyStore.getEntry(str, null);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e) {
            LOGGER.severe("[CertVerify] catch Exception: " + e.getMessage());
        }
        if (entry == null || !(entry instanceof KeyStore.PrivateKeyEntry) || (certificateChain = ((KeyStore.PrivateKeyEntry) entry).getCertificateChain()) == null) {
            return null;
        }
        x509CertificateArr = (X509Certificate[]) certificateChain;
        return x509CertificateArr;
    }

    public static X509Certificate[] transformPemArrayToX509Array(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            LOGGER.severe("[CertVerify] pemCerts is null or empty, please check!");
            throw new IllegalArgumentException();
        }
        int length = strArr.length;
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        for (int i = 0; i < length; i++) {
            x509CertificateArr[i] = transformPemToX509(strArr[i]);
        }
        return x509CertificateArr;
    }

    private static X509Certificate transformPemToX509(String str) {
        X509Certificate x509Certificate = null;
        if (str != null) {
            try {
                if (!str.trim().isEmpty()) {
                    x509Certificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str)));
                }
            } catch (CertificateException e) {
                LOGGER.severe("[CertVerify] catch Exception: " + e.getMessage());
                return null;
            }
        }
        return x509Certificate;
    }

    private static boolean verifyCrl(String str, X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null || x509CertificateArr.length < 2) {
            LOGGER.severe("[verifyCrl] the number of certificate in x509Certificates is less than 2, please check!");
            throw new IllegalArgumentException();
        }
        FLParameter fLParameter = FLParameter.getInstance();
        X509Certificate x509Certificate = x509CertificateArr[1];
        if (x509Certificate == null) {
            LOGGER.severe("[verifyCrl] equipCert is null, please check it!");
            return false;
        }
        if (verifySingleCrl(str, x509Certificate.getSerialNumber().toString(), fLParameter.getEquipCrlPath())) {
            LOGGER.info("[verifyCrl] verify crl certificate success!");
            return true;
        }
        LOGGER.info("[verifyCrl] verify crl certificate failed!");
        return false;
    }

    private static boolean verifySingleCrl(String str, String str2, String str3) {
        if (str2 == null || str2.isEmpty()) {
            LOGGER.severe("[CertVerify] caSerialNumber is null or empty, please check!");
            throw new IllegalArgumentException();
        }
        if (str3.equals("null")) {
            LOGGER.severe("[CertVerify] crlPath is null, please set crlPath with setEquipCrlPath method!");
            return false;
        }
        boolean z = true;
        try {
            X509CRL x509crl = (X509CRL) readCrl(str3);
            if (x509crl != null) {
                X509Certificate[] x509CertificateChain = getX509CertificateChain(str);
                if (x509CertificateChain == null || x509CertificateChain.length < 3) {
                    LOGGER.severe("[CertVerify] certificateChains is null or the length is not valid: < 3, please check!");
                    return false;
                }
                x509crl.verify(x509CertificateChain[2].getPublicKey());
                Set<? extends X509CRLEntry> revokedCertificates = x509crl.getRevokedCertificates();
                if (revokedCertificates == null) {
                    LOGGER.info("[verifySingleCrl] verifyCrl Revoked Cert list is null");
                    return true;
                }
                Iterator<? extends X509CRLEntry> it = revokedCertificates.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().getSerialNumber().toString().equals(str2)) {
                        LOGGER.info("[verifySingleCrl] Find same SerialNumber during the crl!");
                        z = false;
                        break;
                    }
                }
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CRLException e) {
            LOGGER.severe("[verifySingleCrl] judgeCAInCRL error: " + e.getMessage());
            z = false;
        }
        return z;
    }

    private static Object readCrl(String str) {
        if (str == null || str.isEmpty()) {
            LOGGER.severe("[readCrl] the parameter of <assetName> is null or empty, please check!");
            return null;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            CRL crl = null;
            try {
                try {
                    crl = CertificateFactory.getInstance("X.509").generateCRL(fileInputStream);
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                        LOGGER.severe("[readCrl] catch Exception of close inputStream: " + e.getMessage());
                    }
                } catch (CRLException | CertificateException e2) {
                    LOGGER.severe("[readCrl] catch Exception of creating CertificateFactory in readCert: " + e2.getMessage());
                    try {
                        fileInputStream.close();
                    } catch (IOException e3) {
                        LOGGER.severe("[readCrl] catch Exception of close inputStream: " + e3.getMessage());
                    }
                }
                return crl;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (IOException e4) {
                    LOGGER.severe("[readCrl] catch Exception of close inputStream: " + e4.getMessage());
                }
                throw th;
            }
        } catch (IOException e5) {
            LOGGER.severe("[readCrl] catch Exception of read inputStream in readCert: " + e5.getMessage());
            return null;
        }
    }

    private static boolean verifyValidDate(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null) {
            LOGGER.severe("[CertVerify] x509Certificates is null, please check!");
            throw new IllegalArgumentException();
        }
        Date date = new Date();
        try {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                x509Certificate.checkValidity(date);
            }
            return true;
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            LOGGER.severe("[verifyValidDate] catch Exception: " + e.getMessage());
            return false;
        }
    }

    private static boolean verifyKeyIdentifier(String str, X509Certificate[] x509CertificateArr) {
        if (str == null || str.isEmpty()) {
            LOGGER.severe("[CertVerify] the parameter clientID is null or empty, please check!");
            return false;
        }
        if (x509CertificateArr == null || x509CertificateArr.length < 2) {
            LOGGER.severe("[CertVerify] x509Certificate chains is null or the length is not valid: < 2, please check!");
            return false;
        }
        X509Certificate[] x509CertificateChain = getX509CertificateChain(str);
        if (x509CertificateChain == null || x509CertificateChain.length < 3) {
            LOGGER.severe("[CertVerify] certificateChains is null or the length is not valid: < 3, please check!");
            return false;
        }
        String str2 = "null";
        try {
            str2 = new String(Hex.encode(SubjectKeyIdentifier.getInstance(ASN1OctetString.getInstance(x509CertificateChain[2].getExtensionValue("2.5.29.14")).getOctets()).getKeyIdentifier()));
        } catch (ExceptionInInitializerError e) {
            e.printStackTrace();
        }
        X509Certificate x509Certificate = x509CertificateArr[1];
        String str3 = "null";
        try {
        } catch (ExceptionInInitializerError e2) {
            e2.printStackTrace();
        }
        if (x509Certificate == null) {
            LOGGER.severe("[CertVerify] remoteEquipCert is null, please check it!");
            return false;
        }
        str3 = new String(Hex.encode(AuthorityKeyIdentifier.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue("2.5.29.35")).getOctets()).getKeyIdentifier()));
        if (!str3.equals("null") && !str2.equals("null")) {
            return str3.equals(str2);
        }
        LOGGER.severe("[CertVerify] authorityKeyIdentifier or subjectKeyIdentifier is null, check failed!");
        return false;
    }
}
