package com.citicbank.baselib.crypto.manager;

import cfca.sadk.x509.certificate.X509CRL;
import cfca.sadk.x509.certificate.X509Cert;
import com.citicbank.baselib.crypto.exception.TrustCertificateManagerException;
import com.citicbank.baselib.crypto.exception.TrustManagerException;
import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.FilenameFilter;
import java.io.IOException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: input_file:com/citicbank/baselib/crypto/manager/TrustManager.class */
public class TrustManager {
    private HashMap<String, X509Certificate> hmTrustStore;
    private X509CRL crl = null;
    private String crlPath = null;
    private static TrustManager trustMan = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/citicbank/baselib/crypto/manager/TrustManager$CertFilenameFilter.class */
    public class CertFilenameFilter implements FilenameFilter {
        private CertFilenameFilter() {
        }

        @Override // java.io.FilenameFilter
        public boolean accept(File file, String str) {
            return str.endsWith(".crt");
        }
    }

    private TrustManager() {
        this.hmTrustStore = null;
        if (null == this.hmTrustStore) {
            this.hmTrustStore = new HashMap<>();
        }
    }

    public static synchronized TrustManager getInstance() {
        if (null == trustMan) {
            trustMan = new TrustManager();
        }
        return trustMan;
    }

    public void addTrustedChain(X509Certificate[] x509CertificateArr) throws TrustManagerException, CertificateExpiredException, CertificateNotYetValidException {
        if (x509CertificateArr == null) {
            return;
        }
        for (int i = 0; i < x509CertificateArr.length - 1; i++) {
            checkValidity(x509CertificateArr[i], x509CertificateArr[i + 1]);
        }
        String name = x509CertificateArr[x509CertificateArr.length - 1].getSubjectX500Principal().getName();
        Date date = new Date();
        Date notBefore = x509CertificateArr[x509CertificateArr.length - 1].getNotBefore();
        Date notAfter = x509CertificateArr[x509CertificateArr.length - 1].getNotAfter();
        if (date.before(notBefore)) {
            throw new CertificateNotYetValidException("证书【" + name + "】尚未生效!");
        }
        if (date.after(notAfter)) {
            throw new CertificateExpiredException("证书【" + name + "】已经过期!");
        }
        for (int i2 = 0; i2 < x509CertificateArr.length; i2++) {
            this.hmTrustStore.put(x509CertificateArr[i2].getSubjectX500Principal().getName(), x509CertificateArr[i2]);
        }
    }

    public void addTrustPath(X509Certificate[] x509CertificateArr) throws TrustManagerException, CertificateExpiredException, CertificateNotYetValidException {
        addTrustedChain(x509CertificateArr);
    }

    public void addTrustedDirectory(String str) throws TrustManagerException {
        if (str == null) {
            throw new TrustManagerException("设置信任证书链目录失败，无效的参数。");
        }
        ByteArrayOutputStream byteArrayOutputStream = null;
        BufferedReader bufferedReader = null;
        try {
            try {
                for (File file : new File(str).listFiles(new CertFilenameFilter())) {
                    bufferedReader = new BufferedReader(new FileReader(file));
                    byteArrayOutputStream = new ByteArrayOutputStream();
                    String readLine = bufferedReader.readLine();
                    if (true == readLine.startsWith("-----BEGIN")) {
                        readLine = bufferedReader.readLine();
                    }
                    do {
                        byteArrayOutputStream.write(readLine.getBytes());
                        readLine = bufferedReader.readLine();
                        if (readLine != null) {
                        }
                        addTrustedChain(new X509Certificate[]{new com.citicbank.baselib.crypto.protocol.X509Certificate(new X509Cert(Base64.decode(byteArrayOutputStream.toByteArray())))});
                    } while (false == readLine.startsWith("-----END"));
                    addTrustedChain(new X509Certificate[]{new com.citicbank.baselib.crypto.protocol.X509Certificate(new X509Cert(Base64.decode(byteArrayOutputStream.toByteArray())))});
                }
                if (byteArrayOutputStream != null) {
                    try {
                        byteArrayOutputStream.close();
                    } catch (IOException e) {
                    }
                }
                if (bufferedReader != null) {
                    try {
                        bufferedReader.close();
                    } catch (IOException e2) {
                    }
                }
            } catch (Exception e3) {
                throw new TrustManagerException("设置信任证书链目录失败", e3);
            }
        } catch (Throwable th) {
            if (byteArrayOutputStream != null) {
                try {
                    byteArrayOutputStream.close();
                } catch (IOException e4) {
                }
            }
            if (bufferedReader != null) {
                try {
                    bufferedReader.close();
                } catch (IOException e5) {
                }
            }
            throw th;
        }
    }

    public boolean addTrustAuthority(String str) {
        boolean z = false;
        try {
            addTrustedDirectory(str);
            z = true;
        } catch (TrustManagerException e) {
        }
        return z;
    }

    public void addTrustedCertificate(byte[] bArr) throws TrustManagerException {
        if (bArr == null) {
            throw new TrustManagerException("添加信任证书失败，无效的参数。");
        }
        try {
            addTrustedChain(new X509Certificate[]{new com.citicbank.baselib.crypto.protocol.X509Certificate(new X509Cert(Base64.decode(bArr)))});
        } catch (Exception e) {
            throw new TrustManagerException("添加信任证书失败", e);
        }
    }

    public boolean addTrust(String str) {
        boolean z = false;
        try {
            addTrustedCertificate(str.getBytes());
            z = true;
        } catch (TrustManagerException e) {
        }
        return z;
    }

    public void setCrlPath(String str) {
        this.crlPath = str;
        loadCrl();
    }

    public void verify(X509Certificate[] x509CertificateArr) throws TrustManagerException, CertificateExpiredException, CertificateNotYetValidException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new TrustManagerException("证书链参数不能为空!");
        }
        for (int i = 0; i < x509CertificateArr.length - 1; i++) {
            checkValidity(x509CertificateArr[i], x509CertificateArr[i + 1]);
        }
        String name = x509CertificateArr[x509CertificateArr.length - 1].getIssuerX500Principal().getName();
        X509Certificate x509Certificate = this.hmTrustStore.get(name);
        if (x509Certificate == null) {
            throw new TrustManagerException("证书【" + name + "】不可信任!");
        }
        checkValidity(x509CertificateArr[x509CertificateArr.length - 1], x509Certificate);
    }

    public void verify(byte[] bArr) throws TrustCertificateManagerException {
        try {
            verify(new X509Certificate[]{new com.citicbank.baselib.crypto.protocol.X509Certificate(new X509Cert(Base64.decode(bArr)))});
        } catch (Exception e) {
            throw new TrustCertificateManagerException("verify fail", e);
        }
    }

    public void verify(X509Certificate x509Certificate) throws TrustManagerException, CertificateExpiredException, CertificateNotYetValidException {
        verify(new X509Certificate[]{x509Certificate});
    }

    private void checkValidity(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws TrustManagerException, CertificateExpiredException, CertificateNotYetValidException {
        Date date = new Date();
        String name = x509Certificate.getSubjectX500Principal().getName();
        Date date2 = new Date();
        Date notBefore = x509Certificate.getNotBefore();
        Date notAfter = x509Certificate.getNotAfter();
        if (date2.before(notBefore)) {
            throw new CertificateNotYetValidException("证书【" + name + "】尚未生效!");
        }
        if (date2.after(notAfter)) {
            throw new CertificateExpiredException("证书【" + name + "】已经过期!");
        }
        try {
            x509Certificate.verify(x509Certificate2.getPublicKey());
            if (this.crl != null) {
                if (this.crl.getNextUpdate().before(date)) {
                    loadCrl();
                }
                if (this.crl.isRevoke(x509Certificate.getSerialNumber())) {
                    throw new TrustManagerException("证书【" + name + "】已被吊销!");
                }
            }
        } catch (Exception e) {
            throw new TrustManagerException("证书【" + name + "】不可信任!使用" + x509Certificate2.getSubjectX500Principal().getName() + "校验用户证书签名失败", e);
        }
    }

    private void loadCrl() {
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(this.crlPath);
            if (fileInputStream != null) {
                this.crl = new X509CRL(fileInputStream);
            }
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e) {
                }
            }
        } catch (Exception e2) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e3) {
                }
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e4) {
                    throw th;
                }
            }
            throw th;
        }
    }
}
