package kd.bos.openapi.base.security.sign.impl;

import com.alibaba.fastjson.JSON;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Map;
import kd.bos.context.RequestContext;
import kd.bos.encrypt.EncrypterFactory;
import kd.bos.encrypt.impl.RSAEncrypterUtil;
import kd.bos.logging.Log;
import kd.bos.logging.LogFactory;
import kd.bos.openapi.base.security.api.impl.ApiSecurityFactory;
import kd.bos.openapi.base.security.sign.SignService;
import kd.bos.openapi.base.statdata.ApiStatType;
import kd.bos.openapi.base.util.JWTUtils;
import kd.bos.openapi.base.util.ShaSignUtils;
import kd.bos.openapi.base.util.ThirdAppSecurityUtil;
import kd.bos.openapi.common.constant.ApiErrorCode;
import kd.bos.openapi.common.exception.OpenApiException;
import kd.bos.openapi.common.util.StringUtil;
import kd.bos.openapi.security.CertKeyUtil;
import kd.bos.openapi.security.model.CertificateInfo;
import kd.bos.openapi.security.model.Open3rdappsDto;
import kd.bos.openapi.security.model.SignInfoDto;
import kd.bos.service.authorize.model.JwtInfo;
import kd.bos.service.authorize.model.SignInfo;
import kd.bos.session.RSAUtils;
import kd.bos.session.SystemPropertyUtils;

/* loaded from: input_file:kd/bos/openapi/base/security/sign/impl/SignServiceImpl.class */
public class SignServiceImpl implements SignService {
    private static final Log log = LogFactory.getLog(SignServiceImpl.class);
    private static String APP_TOKEN_TIMEOUT_KEY = "apptoken.timeout";
    private static int DEFAULT_TIMEOUT = 7200;

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signBySha256(String str, String str2) {
        try {
            return ShaSignUtils.HMACSHA256StrByKey(str, str2);
        } catch (Exception e) {
            log.error("SignServiceImpl.signBySha256 error:", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.signBySha256 error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signByPublicKey(String str, PublicKey publicKey) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (publicKey == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPublicKey not support publicKey is null", new Object[0]);
        }
        try {
            return RSAEncrypterUtil.encrypt(str, publicKey);
        } catch (Exception e) {
            log.error("SignServiceImpl.signByPublicKey error:", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPublicKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signByPublicKey(String str, String str2) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (StringUtil.isEmpty(str2)) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPublicKey not support publicKeyBase64 is null", new Object[0]);
        }
        try {
            return signByPublicKey(str, RSAEncrypterUtil.getPublicKey(str2));
        } catch (Exception e) {
            log.error("SignServiceImpl.signByPublicKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPublicKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signByPrivateKey(String str, PrivateKey privateKey) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (privateKey == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPrivateKey not support privateKey is null", new Object[0]);
        }
        try {
            return RSAEncrypterUtil.encrypt(str, privateKey);
        } catch (Exception e) {
            log.error("SignServiceImpl.signByPrivateKey error:", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPrivateKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signByPrivateKey(String str, String str2) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (StringUtil.isEmpty(str2)) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPrivateKey not support privateKeyBase64 is null", new Object[0]);
        }
        try {
            return signByPrivateKey(str, RSAEncrypterUtil.getPrivateKey(str2));
        } catch (Exception e) {
            log.error("SignServiceImpl.signByPrivateKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.signByPrivateKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String unSignByPublicKey(String str, PublicKey publicKey) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (publicKey == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPublicKey not support publicKey is null", new Object[0]);
        }
        try {
            return RSAEncrypterUtil.decrypt(str, publicKey);
        } catch (Exception e) {
            log.error("SignServiceImpl.unSignByPublicKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPublicKey error:", new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String unSignByPublicKey(String str, String str2) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (StringUtil.isEmpty(str2)) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPublicKey not support publicKeyBase64 is null", new Object[0]);
        }
        try {
            return unSignByPublicKey(str, RSAEncrypterUtil.getPublicKey(str2));
        } catch (Exception e) {
            log.error("SignServiceImpl.unSignByPublicKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPublicKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String unSignByPrivateKey(String str, PrivateKey privateKey) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (privateKey == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPrivateKey not support privateKey is null", new Object[0]);
        }
        try {
            return RSAEncrypterUtil.decrypt(str, privateKey);
        } catch (Exception e) {
            log.error("SignServiceImpl.unSignByPrivateKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPrivateKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String unSignByPrivateKey(String str, String str2) {
        if (StringUtil.isEmpty(str)) {
            return "";
        }
        if (StringUtil.isEmpty(str2)) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPrivateKey not support privateKeyBase64 is null", new Object[0]);
        }
        try {
            return unSignByPrivateKey(str, RSAEncrypterUtil.getPrivateKey(str2));
        } catch (Exception e) {
            log.error("SignServiceImpl.unSignByPrivateKey error", e);
            throw new OpenApiException(e, ApiErrorCode.Data_Invalid, "SignServiceImpl.unSignByPrivateKey error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signing(SignInfoDto signInfoDto) {
        if (signInfoDto == null || StringUtil.isEmpty(signInfoDto.getAccountId())) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, " signing params error", new Object[0]);
        }
        String accountId = signInfoDto.getAccountId();
        Open3rdappsDto open3rdappsDto = new Open3rdappsDto();
        if (signInfoDto.getThirdId() != null) {
            open3rdappsDto = ThirdAppSecurityUtil.getThirdByAccountAndThirdId(accountId, signInfoDto.getThirdId());
        } else if (StringUtil.isNotEmpty(signInfoDto.getThirdAppNumber())) {
            open3rdappsDto = ThirdAppSecurityUtil.getThirdByAccountAndAppId(accountId, signInfoDto.getThirdAppNumber());
        }
        if (open3rdappsDto.getDigestSignType() == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's digestSignType is null", new Object[0]);
        }
        switch (open3rdappsDto.getDigestSignType().intValue()) {
            case ApiStatType.HOUR /* 1 */:
                String digestSignKey = open3rdappsDto.getDigestSignKey();
                return signBySha256(ShaSignUtils.getSignatureString(signInfoDto.getDateTime(), signInfoDto.getSignatureNonce(), signInfoDto.getContent()).toString(), EncrypterFactory.getEncrypter().isEncrypted(digestSignKey) ? EncrypterFactory.getEncrypter().decode(digestSignKey) : digestSignKey);
            default:
                throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's DigestSignType is invalid", new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public String signingBySha256(String str, SignInfoDto signInfoDto) {
        return signBySha256(ShaSignUtils.getSignatureString(signInfoDto.getDateTime(), signInfoDto.getSignatureNonce(), signInfoDto.getContent()).toString(), str);
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public boolean vertifySign(SignInfo signInfo) {
        boolean z = false;
        if (signInfo == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the signInfo is invalid", new Object[0]);
        }
        Open3rdappsDto open3rdappsDto = new Open3rdappsDto();
        if (signInfo.getThirdId() != null) {
            open3rdappsDto = ThirdAppSecurityUtil.getThirdByAccountAndThirdId(signInfo.getAccountId(), signInfo.getThirdId());
        } else if (StringUtil.isNotEmpty(signInfo.getThirdAppNumber())) {
            open3rdappsDto = ThirdAppSecurityUtil.getThirdByAccountAndAppId(signInfo.getAccountId(), signInfo.getThirdAppNumber());
        }
        if (open3rdappsDto.getDigestSignType() == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's digestSignType is null", new Object[0]);
        }
        switch (open3rdappsDto.getDigestSignType().intValue()) {
            case ApiStatType.HOUR /* 1 */:
                if (open3rdappsDto == null || open3rdappsDto.getDigestSignKey() == null) {
                    throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's digest key is invalid", new Object[0]);
                }
                String digestSignKey = open3rdappsDto.getDigestSignKey();
                String decode = EncrypterFactory.getEncrypter().isEncrypted(digestSignKey) ? EncrypterFactory.getEncrypter().decode(digestSignKey) : digestSignKey;
                String signature = signInfo.getSignature();
                String signBySha256 = signBySha256(ShaSignUtils.getSignatureString(signInfo.getDateTime(), signInfo.getSignatureNonce(), signInfo.getContent()).toString(), decode);
                if (ApiSecurityFactory.isSecurityLogOpen()) {
                    log.info("------traceId:" + RequestContext.get().getTraceId() + "--signType:" + open3rdappsDto.getDigestSignType() + " currentSignature key:" + decode + " currentSignature:" + signBySha256 + " signature:" + signature);
                }
                if (signBySha256.equals(signature)) {
                    z = true;
                }
                return z;
            default:
                throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's DigestSignType is invalid", new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public <T> String generateJWTToken(JwtInfo<T> jwtInfo) {
        String generateRSAJWTByMapParameters;
        if (jwtInfo == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the jwtInfo is invalid", new Object[0]);
        }
        String accountId = jwtInfo.getAccountId();
        String thirdAppNumber = jwtInfo.getThirdAppNumber();
        Object data = jwtInfo.getData();
        String tenantId = RequestContext.get().getTenantId();
        Open3rdappsDto thirdByAccountAndAppId = ThirdAppSecurityUtil.getThirdByAccountAndAppId(accountId, thirdAppNumber);
        if (ApiSecurityFactory.isSecurityLogOpen()) {
            log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt generate signType:" + thirdByAccountAndAppId.getJwtSignType());
        }
        long expiredTime = getExpiredTime(tenantId);
        if (thirdByAccountAndAppId.getJwtSignType() == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's jwtSignType is null", new Object[0]);
        }
        try {
            switch (thirdByAccountAndAppId.getJwtSignType().intValue()) {
                case ApiStatType.HOUR /* 1 */:
                    String jwtShaKey = thirdByAccountAndAppId.getJwtShaKey();
                    String decode = EncrypterFactory.getEncrypter().isEncrypted(jwtShaKey) ? EncrypterFactory.getEncrypter().decode(jwtShaKey) : jwtShaKey;
                    generateRSAJWTByMapParameters = JWTUtils.generateJWTByMapParameters(data, decode, expiredTime);
                    if (ApiSecurityFactory.isSecurityLogOpen()) {
                        log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt userInfo:" + JSON.toJSONString(data) + "jwt singKeyDecode:" + decode + " expireTime:" + expiredTime);
                        break;
                    }
                    break;
                case ApiStatType.DAY /* 2 */:
                    CertificateInfo certificateInfo = (CertificateInfo) thirdByAccountAndAppId.getCertMaps().get(CertKeyUtil.getCertKey("3", "0"));
                    if (certificateInfo != null && !StringUtil.isEmpty(certificateInfo.getPublicKeyBase64())) {
                        String decode2 = EncrypterFactory.getEncrypter().isEncrypted(certificateInfo.getPrivateKeyBase64()) ? EncrypterFactory.getEncrypter().decode(certificateInfo.getPrivateKeyBase64()) : "";
                        generateRSAJWTByMapParameters = JWTUtils.generateRSAJWTByMapParameters(data, RSAUtils.getPrivateKeyBase64(decode2), expiredTime);
                        if (ApiSecurityFactory.isSecurityLogOpen()) {
                            log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt userInfo:" + JSON.toJSONString(data) + "jwt privateKeyDecode:" + decode2 + " expireTime:" + expiredTime);
                            break;
                        }
                    } else {
                        throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's RSA private key is invalid", new Object[0]);
                    }
                    break;
                default:
                    throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's jwtSignType is invalid", new Object[0]);
            }
            if (ApiSecurityFactory.isSecurityLogOpen()) {
                log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt:" + generateRSAJWTByMapParameters);
            }
            return generateRSAJWTByMapParameters;
        } catch (Exception e) {
            log.error("generateJWTToken error:" + e.getMessage(), e);
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "generateJWTToken error:" + e.getMessage(), new Object[0]);
        }
    }

    @Override // kd.bos.openapi.base.security.sign.SignService
    public <T> T versifyJWTToken(JwtInfo<T> jwtInfo) {
        Map<String, String> jWTClaimsByPublicKey;
        if (jwtInfo == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the jwtInfo is invalid", new Object[0]);
        }
        String accountId = jwtInfo.getAccountId();
        String thirdAppNumber = jwtInfo.getThirdAppNumber();
        String jwt = jwtInfo.getJwt();
        Open3rdappsDto thirdByAccountAndAppId = ThirdAppSecurityUtil.getThirdByAccountAndAppId(accountId, thirdAppNumber);
        if (thirdByAccountAndAppId.getJwtSignType() == null) {
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's jwtSignType is null", new Object[0]);
        }
        if (ApiSecurityFactory.isSecurityLogOpen()) {
            log.info("--------traceId:" + RequestContext.get().getTraceId() + " jwt signType:" + thirdByAccountAndAppId.getJwtSignType());
        }
        try {
            switch (thirdByAccountAndAppId.getJwtSignType().intValue()) {
                case ApiStatType.HOUR /* 1 */:
                    String jwtShaKey = thirdByAccountAndAppId.getJwtShaKey();
                    if (thirdByAccountAndAppId != null && jwtShaKey != null) {
                        String decode = EncrypterFactory.getEncrypter().isEncrypted(jwtShaKey) ? EncrypterFactory.getEncrypter().decode(jwtShaKey) : jwtShaKey;
                        jWTClaimsByPublicKey = JWTUtils.getJWTClaimsByKey(decode, jwt);
                        if (ApiSecurityFactory.isSecurityLogOpen()) {
                            log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt:" + jwt + "jwt singKeyDecode:" + decode);
                            break;
                        }
                    } else {
                        throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's jwtSha key is invalid", new Object[0]);
                    }
                    break;
                case ApiStatType.DAY /* 2 */:
                    CertificateInfo certificateInfo = (CertificateInfo) thirdByAccountAndAppId.getCertMaps().get(CertKeyUtil.getCertKey("3", "0"));
                    if (certificateInfo != null && !StringUtil.isEmpty(certificateInfo.getPublicKeyBase64())) {
                        String decode2 = EncrypterFactory.getEncrypter().isEncrypted(certificateInfo.getPublicKeyBase64()) ? EncrypterFactory.getEncrypter().decode(certificateInfo.getPublicKeyBase64()) : "";
                        jWTClaimsByPublicKey = JWTUtils.getJWTClaimsByPublicKey(RSAUtils.getPublicKeyBase64(decode2), jwt);
                        if (ApiSecurityFactory.isSecurityLogOpen()) {
                            log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt:" + jwt + "jwt publicKeyDecode:" + decode2);
                            break;
                        }
                    } else {
                        throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's RSA public key is invalid", new Object[0]);
                    }
                    break;
                default:
                    throw new OpenApiException(ApiErrorCode.Data_Invalid, "the thirdApp's jwtSignType is invalid", new Object[0]);
            }
            if (ApiSecurityFactory.isSecurityLogOpen()) {
                log.info("--------traceId:" + RequestContext.get().getTraceId() + "jwt result:" + JSON.toJSONString(jWTClaimsByPublicKey));
            }
            return (T) jWTClaimsByPublicKey;
        } catch (Exception e) {
            log.error("versifyJWTToken error:" + e.getMessage(), e);
            throw new OpenApiException(ApiErrorCode.Data_Invalid, "versifyJWTToken error:" + e.getMessage(), new Object[0]);
        }
    }

    static int getTokenTimeout(String str) {
        return SystemPropertyUtils.getInteger(str, APP_TOKEN_TIMEOUT_KEY, Integer.valueOf(DEFAULT_TIMEOUT)).intValue();
    }

    private long getExpiredTime(String str) {
        return LocalDateTime.now().plusSeconds(getTokenTimeout(str)).toInstant(ZoneOffset.of("+8")).toEpochMilli();
    }
}
