package com.huawei.wienerchain.security;

import com.huawei.wienerchain.exception.ConfigException;
import com.huawei.wienerchain.exception.CryptoException;
import io.grpc.netty.GrpcSslContexts;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.io.pem.PemReader;

/* loaded from: input_file:com/huawei/wienerchain/security/CryptoX509.class */
public abstract class CryptoX509 implements Crypto {
    private static final String TYPE = "X.509";
    private static final String BC_PROVIDER_SHORT_NAME = "BC";
    private static final String SUN_EC_NAME = "SunEC";
    private PrivateKey privateKey;
    private byte[] priKey;
    private byte[] certBytes;
    private CertificateFactory certificateFactory;

    private static boolean checkCertSignAlgWithCfg(byte[] bArr, String str) throws CryptoException, ConfigException {
        String str2;
        try {
            Certificate generateCertificate = CertificateFactory.getInstance(TYPE, BC_PROVIDER_SHORT_NAME).generateCertificate(new ByteArrayInputStream(bArr));
            String sigAlgName = generateCertificate instanceof X509Certificate ? ((X509Certificate) generateCertificate).getSigAlgName() : "";
            boolean z = -1;
            switch (sigAlgName.hashCode()) {
                case -266489657:
                    if (sigAlgName.equals("SHA256WITHECDSA")) {
                        z = false;
                        break;
                    }
                    break;
                case -103638183:
                    if (sigAlgName.equals("SM3WITHSM2")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    str2 = "ecdsa_with_sha256";
                    break;
                case true:
                    str2 = "sm2_with_sm3";
                    break;
                default:
                    throw new CryptoException("Unknown certificate alg type");
            }
            String str3 = str;
            if ("sm2_with_sm3_java".equals(str)) {
                str3 = "sm2_with_sm3";
            }
            if (str2.equals(str3)) {
                return str2.equals(str3);
            }
            throw new ConfigException("The sign algorithm of cert is " + str2 + ", not consistent with sign algorithm" + str3 + "in config");
        } catch (NoSuchProviderException | CertificateException e) {
            throw new CryptoException("Get cert error", e);
        }
    }

    public static Crypto getCrypto(String str, byte[] bArr, byte[] bArr2) throws CryptoException, ConfigException {
        CryptoX509 cryptoSmJava;
        if (!checkCertSignAlgWithCfg(bArr2, str)) {
            throw new ConfigException("The sign algorithm of cert is not consistent with sign algorithm in config");
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -204099078:
                if (str.equals("sm2_with_sm3_java")) {
                    z = 2;
                    break;
                }
                break;
            case 265618517:
                if (str.equals("ecdsa_with_sha256")) {
                    z = false;
                    break;
                }
                break;
            case 1574795623:
                if (str.equals("sm2_with_sm3")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                cryptoSmJava = new CryptoEcdsa();
                break;
            case true:
                cryptoSmJava = new CryptoSm();
                break;
            case true:
                cryptoSmJava = new CryptoSmJava();
                break;
            default:
                throw new ConfigException("Client ssl type not support!");
        }
        cryptoSmJava.loadPrivateKey(bArr);
        cryptoSmJava.loadPublicKey(bArr2);
        cryptoSmJava.setCertificateFactory(cryptoSmJava.getCertificateFactory());
        return cryptoSmJava;
    }

    public static SslContext getSslContext(byte[] bArr, byte[] bArr2, byte[][] bArr3) throws CryptoException {
        SslContextBuilder configure = GrpcSslContexts.configure(SslContextBuilder.forClient(), SslProvider.OPENSSL);
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(TYPE, BC_PROVIDER_SHORT_NAME);
            PrivateKey parsePrivateKey = parsePrivateKey(bArr);
            Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(bArr2));
            if (!(generateCertificate instanceof X509Certificate)) {
                throw new CryptoException("the certificate is not X.509 certificate");
            }
            configure.keyManager(parsePrivateKey, new X509Certificate[]{(X509Certificate) generateCertificate});
            int length = bArr3.length;
            X509Certificate[] x509CertificateArr = new X509Certificate[length];
            for (int i = 0; i < length; i++) {
                Certificate generateCertificate2 = certificateFactory.generateCertificate(new ByteArrayInputStream(bArr3[i]));
                if (!(generateCertificate2 instanceof X509Certificate)) {
                    throw new CryptoException("the cert is not X509Certificate");
                }
                x509CertificateArr[i] = (X509Certificate) generateCertificate2;
            }
            configure.trustManager(x509CertificateArr);
            return configure.build();
        } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException | InvalidKeySpecException e) {
            throw new CryptoException("Get SslContext error", e);
        }
    }

    @Override // com.huawei.wienerchain.security.Crypto
    public void loadPrivateKey(byte[] bArr) throws CryptoException {
        this.priKey = new byte[bArr.length];
        System.arraycopy(bArr, 0, this.priKey, 0, bArr.length);
        try {
            this.privateKey = parsePrivateKey(bArr);
        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new CryptoException("load private key error", e);
        }
    }

    private static PrivateKey parsePrivateKey(byte[] bArr) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("ECDSA").generatePrivate(new PKCS8EncodedKeySpec(new PemReader(new StringReader(new String(bArr, StandardCharsets.UTF_8))).readPemObject().getContent()));
    }

    @Override // com.huawei.wienerchain.security.Crypto
    public void loadPublicKey(byte[] bArr) {
        this.certBytes = new byte[bArr.length];
        System.arraycopy(bArr, 0, this.certBytes, 0, bArr.length);
    }

    @Override // com.huawei.wienerchain.security.Crypto
    public byte[] getCertificate() {
        return this.certBytes;
    }

    public abstract CertificateFactory getCertificateFactory() throws CryptoException;

    private void setCertificateFactory(CertificateFactory certificateFactory) {
        this.certificateFactory = certificateFactory;
    }

    @Override // com.huawei.wienerchain.security.Crypto
    public String getCommonName() throws CryptoException {
        for (Rdn rdn : getLdapName().getRdns()) {
            if ("CN".equals(rdn.getType())) {
                return rdn.getValue().toString();
            }
        }
        return "";
    }

    @Override // com.huawei.wienerchain.security.Crypto
    public String getOrg() throws CryptoException {
        for (Rdn rdn : getLdapName().getRdns()) {
            if ("O".equals(rdn.getType())) {
                return rdn.getValue().toString();
            }
        }
        return "";
    }

    public PrivateKey getPrivateKey() {
        return this.privateKey;
    }

    public byte[] getPemPriKey() {
        return this.priKey;
    }

    private LdapName getLdapName() throws CryptoException {
        try {
            Certificate generateCertificate = this.certificateFactory.generateCertificate(new ByteArrayInputStream(this.certBytes));
            if (generateCertificate instanceof X509Certificate) {
                return new LdapName(((X509Certificate) generateCertificate).getSubjectDN().getName());
            }
            throw new CryptoException("the cert is not X509Certificate");
        } catch (CertificateException | InvalidNameException e) {
            throw new CryptoException("get Ldap name exception", e);
        }
    }

    static {
        Security.removeProvider(SUN_EC_NAME);
        Security.addProvider(new BouncyCastleProvider());
    }
}
