package kz.arta.synergy.dao;

import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import kz.arta.synergy.BundleLog;
import kz.gov.pki.kalkan.asn1.ASN1EncodableVector;
import kz.gov.pki.kalkan.asn1.ASN1InputStream;
import kz.gov.pki.kalkan.asn1.DEREncodableVector;
import kz.gov.pki.kalkan.asn1.DERObject;
import kz.gov.pki.kalkan.asn1.DERObjectIdentifier;
import kz.gov.pki.kalkan.asn1.DEROctetString;
import kz.gov.pki.kalkan.asn1.DERPrintableString;
import kz.gov.pki.kalkan.asn1.DERSequence;
import kz.gov.pki.kalkan.asn1.DERSet;
import kz.gov.pki.kalkan.asn1.DERUTCTime;
import kz.gov.pki.kalkan.asn1.DERUTF8String;
import kz.gov.pki.kalkan.asn1.cms.Attribute;
import kz.gov.pki.kalkan.asn1.cms.AttributeTable;
import kz.gov.pki.kalkan.asn1.cryptopro.CryptoProObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.knca.KNCAObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.ocsp.OCSPObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.pkcs.PKCSObjectIdentifiers;
import kz.gov.pki.kalkan.asn1.x509.AlgorithmIdentifier;
import kz.gov.pki.kalkan.asn1.x509.X509Extension;
import kz.gov.pki.kalkan.asn1.x509.X509Extensions;
import kz.gov.pki.kalkan.asn1.x509.X509Name;
import kz.gov.pki.kalkan.jce.provider.cms.CMSProcessableByteArray;
import kz.gov.pki.kalkan.jce.provider.cms.CMSSignedData;
import kz.gov.pki.kalkan.jce.provider.cms.CMSSignedDataGenerator;
import kz.gov.pki.kalkan.jce.provider.cms.SignerInformation;
import kz.gov.pki.kalkan.jce.provider.cms.SignerInformationStore;
import kz.gov.pki.kalkan.ocsp.BasicOCSPResp;
import kz.gov.pki.kalkan.ocsp.CertificateID;
import kz.gov.pki.kalkan.ocsp.OCSPReqGenerator;
import kz.gov.pki.kalkan.ocsp.OCSPResp;
import kz.gov.pki.kalkan.ocsp.RevokedStatus;
import kz.gov.pki.kalkan.ocsp.UnknownStatus;
import kz.gov.pki.kalkan.tsp.TSPAlgorithms;
import kz.gov.pki.kalkan.tsp.TSPException;
import kz.gov.pki.kalkan.tsp.TimeStampRequest;
import kz.gov.pki.kalkan.tsp.TimeStampRequestGenerator;
import kz.gov.pki.kalkan.tsp.TimeStampResponse;
import kz.gov.pki.kalkan.tsp.TimeStampToken;

/* loaded from: input_file:kz/arta/synergy/dao/EsedoSignUtils.class */
public class EsedoSignUtils {
    private static final String CA_RSA_CERT = "ca/pki_rsa.cer";
    private static final String CA_GOST_CERT = "ca/pki_gost.cer";
    private X509Certificate x509Certificate;
    private X509Certificate caCertificate;
    private PrivateKey privateKey;
    private byte[] nonce;
    public static final String TOSIGN_FILE_NAMES_SEPARATOR = "<>";
    public static final String OID_SIGNING_TIME = "1.2.840.113549.1.9.5";
    public static final String OID_DIGEST = "1.2.840.113549.1.9.4";
    public static final String OID_CONTENT_TYPE = "1.2.840.113549.1.9.3";
    public static final String OID_CONTENT_DATA = "1.2.840.113549.1.7.1";
    public static final String OID_FILE_NAMES = "1.2.840.113549.1.9.77";
    public static final String OID_DESCRIPTION = "1.2.840.113549.1.9.13";
    public static final String OID_DN_NAME = "1.3.6.1.4.1.6801.2.8";
    private static final String DESCR_SYNERGY = "ESEDO";
    public static final String OID_SIGNED_DATA = "1.2.840.113549.1.7.2";
    static final String OCSP_URL = "http://ocsp.pki.gov.kz";
    public static final DERObjectIdentifier OID_OCSP_BASIC = new DERObjectIdentifier("1.3.6.1.5.5.7.48.1.1");
    static String TSP_URL = "http://tsp.pki.gov.kz";

    /* loaded from: input_file:kz/arta/synergy/dao/EsedoSignUtils$SynergyDerSet.class */
    class SynergyDerSet extends DERSet {
        public SynergyDerSet(DEREncodableVector dEREncodableVector) {
            for (int i = 0; i != dEREncodableVector.size(); i++) {
                addObject(dEREncodableVector.get(i));
            }
        }
    }

    public EsedoSignUtils(X509Certificate x509Certificate, PrivateKey privateKey) {
        this.x509Certificate = x509Certificate;
        this.privateKey = privateKey;
    }

    public String signBase64(String str, List<String> list) throws Exception {
        return Base64.getEncoder().encodeToString(sign(Base64.getDecoder().decode(str), list));
    }

    public byte[] sign(String str, List<String> list) throws Exception {
        return sign(Base64.getDecoder().decode(str), list);
    }

    private byte[] sign(byte[] bArr, List<String> list) throws Exception {
        BundleLog.LOG.info("v21");
        BasicOCSPResp ocspResponse = getOcspResponse();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(OID_DIGEST), new DERSet(new DEROctetString(bArr))));
        Attribute attribute = new Attribute(new DERObjectIdentifier(OID_SIGNING_TIME), new DERSet(new DERUTCTime(new Date())));
        aSN1EncodableVector.add(attribute);
        BundleLog.LOG.info("TIME: " + attribute.getDERObject().toString());
        BundleLog.LOG.info("DEFAULT CHARSET: " + Charset.defaultCharset());
        if (list != null) {
            StringBuilder sb = new StringBuilder();
            for (String str : list) {
                if (list.size() > 1 && sb.length() > 0) {
                    sb.append(TOSIGN_FILE_NAMES_SEPARATOR);
                }
                sb.append(str);
            }
            DERUTF8String dERUTF8String = new DERUTF8String(sb.toString().getBytes(StandardCharsets.UTF_8));
            BundleLog.LOG.info("filename: " + dERUTF8String.getString());
            aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(OID_FILE_NAMES), new DERSet(dERUTF8String)));
        }
        aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(OID_DN_NAME), new DERSet(new X509Name(this.x509Certificate.getSubjectDN().getName()))));
        aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(OID_CONTENT_TYPE), new DERSet(new DERObjectIdentifier(OID_CONTENT_DATA))));
        aSN1EncodableVector.add(new Attribute(new DERObjectIdentifier(OID_DESCRIPTION), new DERSet(new DERPrintableString(DESCR_SYNERGY))));
        if (ocspResponse != null) {
            aSN1EncodableVector.add(new Attribute(OID_OCSP_BASIC, new DERSet(new DEROctetString(ocspResponse.getEncoded()))));
        }
        AttributeTable attributeTable = new AttributeTable(aSN1EncodableVector);
        CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singletonList(this.x509Certificate)), "KALKAN");
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        if (this.x509Certificate.getSigAlgOID().equals(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId())) {
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_SHA1, attributeTable, (AttributeTable) null);
        } else if (this.x509Certificate.getSigAlgOID().equals(PKCSObjectIdentifiers.sha256WithRSAEncryption.getId())) {
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_SHA256, attributeTable, (AttributeTable) null);
        } else if (this.x509Certificate.getSigAlgOID().equals(KNCAObjectIdentifiers.gost34311_95_with_gost34310_2004.getId())) {
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_GOST34311_95, attributeTable, (AttributeTable) null);
        } else if (this.x509Certificate.getSigAlgOID().equals(CryptoProObjectIdentifiers.gostR3411_94_with_gostR34310_2004.getId())) {
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_GOST3411_GT, attributeTable, (AttributeTable) null);
        } else if (this.x509Certificate.getSigAlgOID().equals(KNCAObjectIdentifiers.gost3411_2015_with_gost3410_2015_256.getId())) {
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_GOST3411_2015_256, attributeTable, (AttributeTable) null);
        } else {
            if (!this.x509Certificate.getSigAlgOID().equals(KNCAObjectIdentifiers.gost3411_2015_with_gost3410_2015_512.getId())) {
                throw new Exception();
            }
            cMSSignedDataGenerator.addSigner(this.privateKey, this.x509Certificate, CMSSignedDataGenerator.DIGEST_GOST3411_2015_512, attributeTable, (AttributeTable) null);
        }
        cMSSignedDataGenerator.addCertificatesAndCRLs(certStore);
        return addTimeStampAttribute(cMSSignedDataGenerator.generate(new CMSProcessableByteArray(bArr), false, "KALKAN"), bArr).getEncoded();
    }

    private CMSSignedData addTimeStampAttribute(CMSSignedData cMSSignedData, byte[] bArr) throws Exception {
        SignerInformationStore signerInfos = cMSSignedData.getSignerInfos();
        Collection signers = signerInfos.getSigners();
        SignerInformation signerInformation = (SignerInformation) signerInfos.getSigners().iterator().next();
        Attribute attribute = new Attribute(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken, new DERSet(new ASN1InputStream(getTSTInfo(signerInformation.getSignature(), TSPAlgorithms.GOST34311).getEncoded()).readObject()));
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(attribute);
        SignerInformation replaceUnsignedAttributes = SignerInformation.replaceUnsignedAttributes(signerInformation, new AttributeTable(aSN1EncodableVector));
        signers.clear();
        signers.add(replaceUnsignedAttributes);
        return CMSSignedData.replaceSigners(cMSSignedData, new SignerInformationStore(signers));
    }

    private TimeStampToken getTSTInfo(byte[] bArr, String str) throws Exception {
        TimeStampRequestGenerator timeStampRequestGenerator = new TimeStampRequestGenerator();
        timeStampRequestGenerator.setCertReq(true);
        timeStampRequestGenerator.setReqPolicy(KNCAObjectIdentifiers.tsa_gost_policy.getId());
        BigInteger valueOf = BigInteger.valueOf(System.currentTimeMillis());
        MessageDigest messageDigest = MessageDigest.getInstance(str, "KALKAN");
        messageDigest.update(bArr);
        TimeStampRequest generate = timeStampRequestGenerator.generate(str, messageDigest.digest(), valueOf);
        byte[] encoded = generate.getEncoded();
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(TSP_URL).openConnection();
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestProperty("Content-Type", "application/timestamp-query");
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(encoded);
        outputStream.close();
        TimeStampResponse timeStampResponse = new TimeStampResponse(httpURLConnection.getInputStream());
        BundleLog.LOG.info("status: " + timeStampResponse.getStatus());
        BundleLog.LOG.info("info: " + timeStampResponse.getFailInfo());
        BundleLog.LOG.info(timeStampResponse.getStatusString());
        timeStampResponse.validate(generate);
        CertSelector sid = timeStampResponse.getTimeStampToken().getSID();
        BundleLog.LOG.info("constraints: " + sid);
        Iterator<? extends Certificate> it = timeStampResponse.getTimeStampToken().toCMSSignedData().getCertificatesAndCRLs("Collection", "KALKAN").getCertificates(sid).iterator();
        if (!it.hasNext()) {
            throw new TSPException("Validating certificate not found");
        }
        BundleLog.LOG.info("Validating...");
        timeStampResponse.getTimeStampToken().validate((X509Certificate) it.next(), "KALKAN");
        BundleLog.LOG.info(" ok!");
        return timeStampResponse.getTimeStampToken();
    }

    private BasicOCSPResp getOcspResponse() throws Exception {
        this.caCertificate = generateCACert();
        BundleLog.LOG.info("SN: " + this.x509Certificate.getSerialNumber());
        byte[] ocspPackage = getOcspPackage(this.x509Certificate.getSerialNumber(), this.caCertificate, CertificateID.HASH_SHA1);
        new String(Base64.getEncoder().encode(ocspPackage));
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(OCSP_URL).openConnection();
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("Content-Type", "application/ocsp-request");
        OutputStream outputStream = httpURLConnection.getOutputStream();
        Throwable th = null;
        try {
            outputStream.write(ocspPackage);
            if (outputStream != null) {
                if (0 != 0) {
                    try {
                        outputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    outputStream.close();
                }
            }
            return makeOcspResponse(httpURLConnection);
        } catch (Throwable th3) {
            if (outputStream != null) {
                if (0 != 0) {
                    try {
                        outputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    outputStream.close();
                }
            }
            throw th3;
        }
    }

    private BasicOCSPResp makeOcspResponse(HttpURLConnection httpURLConnection) throws Exception {
        InputStream inputStream = httpURLConnection.getInputStream();
        OCSPResp oCSPResp = new OCSPResp(inputStream);
        inputStream.close();
        if (oCSPResp.getStatus() != 0) {
            throw new Exception("Unsuccessful request. Status: " + oCSPResp.getStatus());
        }
        BasicOCSPResp basicOCSPResp = (BasicOCSPResp) oCSPResp.getResponseObject();
        byte[] extensionValue = basicOCSPResp.getExtensionValue(OCSPObjectIdentifiers.id_pkix_ocsp_nonce.getId());
        if (extensionValue != null) {
            ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
            DERObject readObject = aSN1InputStream.readObject();
            aSN1InputStream.close();
            ASN1InputStream aSN1InputStream2 = new ASN1InputStream(DEROctetString.getInstance(readObject).getOctets());
            DERObject readObject2 = aSN1InputStream2.readObject();
            aSN1InputStream2.close();
            BundleLog.LOG.info("nonces are equal: " + Arrays.equals(this.nonce, DEROctetString.getInstance(readObject2).getOctets()));
        }
        X509Certificate x509Certificate = basicOCSPResp.getCerts("KALKAN")[0];
        BundleLog.LOG.info("OCSP Response sigAlg: " + basicOCSPResp.getSignatureAlgName());
        BundleLog.LOG.info("OCSP Response verify: " + basicOCSPResp.verify(x509Certificate.getPublicKey(), "KALKAN"));
        Object certStatus = basicOCSPResp.getResponses()[0].getCertStatus();
        if (certStatus == null) {
            BundleLog.LOG.info("OCSP Response is GOOD");
        }
        if (certStatus instanceof RevokedStatus) {
            BundleLog.LOG.info("OCSP Response is REVOKED");
            if (((RevokedStatus) certStatus).hasRevocationReason()) {
                BundleLog.LOG.info("Time: " + ((RevokedStatus) certStatus).getRevocationTime());
                BundleLog.LOG.info("Reason: " + ((RevokedStatus) certStatus).getRevocationReason());
            }
        }
        if (certStatus instanceof UnknownStatus) {
            BundleLog.LOG.info("OCSP Response is UNKNOWN");
        }
        return basicOCSPResp;
    }

    private X509Certificate generateCACert() throws Exception {
        InputStream resourceAsStream = EsedoSignUtils.class.getClassLoader().getResourceAsStream(this.x509Certificate.getSigAlgName().toUpperCase().contains("RSA") ? CA_RSA_CERT : CA_GOST_CERT);
        Throwable th = null;
        try {
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "KALKAN").generateCertificate(resourceAsStream);
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
                return x509Certificate;
            } finally {
            }
        } catch (Throwable th3) {
            if (resourceAsStream != null) {
                if (th != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            throw th3;
        }
    }

    private byte[] getOcspPackage(BigInteger bigInteger, X509Certificate x509Certificate, String str) throws Exception {
        OCSPReqGenerator oCSPReqGenerator = new OCSPReqGenerator();
        oCSPReqGenerator.addRequest(new CertificateID(str, x509Certificate, bigInteger, "KALKAN"));
        oCSPReqGenerator.setRequestExtensions(generateExtensions());
        return oCSPReqGenerator.generate().getEncoded();
    }

    private X509Extensions generateExtensions() {
        SecureRandom secureRandom = new SecureRandom();
        this.nonce = new byte[8];
        secureRandom.nextBytes(this.nonce);
        Hashtable hashtable = new Hashtable();
        hashtable.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, new X509Extension(false, new DEROctetString(new DEROctetString(this.nonce))));
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new AlgorithmIdentifier(KNCAObjectIdentifiers.gost34311_95_with_gost34310_2004));
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(dERSequence);
        hashtable.put(OCSPObjectIdentifiers.id_pkix_ocsp_pref_sig_algs, new X509Extension(false, new DEROctetString(new DERSequence(aSN1EncodableVector2))));
        return new X509Extensions(hashtable);
    }
}
