package com.alipay.oasis.client.challenger.step;

import com.alibaba.fastjson.JSONObject;
import com.alipay.oasis.client.challenger.crypto.CryptoUtil;
import com.alipay.oasis.client.challenger.crypto.key.CryptoData;
import com.alipay.oasis.client.challenger.crypto.key.Rsa2048PublicKey;
import com.alipay.oasis.client.challenger.crypto.key.Rsa2048Signature;
import com.alipay.oasis.client.challenger.exception.AssertException;
import com.alipay.oasis.client.challenger.exception.CertificateVerificationException;
import com.alipay.oasis.client.challenger.exception.OasisServiceException;
import com.alipay.oasis.client.challenger.exception.UnexpectException;
import com.alipay.oasis.client.challenger.loader.TrustedEnclaveLoaderInterface;
import com.alipay.oasis.client.challenger.parser.IsvEnclaveQuoteBodyParser;
import com.alipay.oasis.client.challenger.step.header.ReqHeader;
import com.alipay.oasis.client.challenger.step.header.ResponseHeader;
import com.alipay.oasis.client.challenger.util.Assert;
import com.alipay.oasis.client.challenger.util.CertUtil;
import com.alipay.oasis.client.challenger.util.CertVerifier;
import com.alipay.oasis.client.challenger.util.PbJson;
import com.alipay.oasis.common.service.facade.gateway.GatewayTrService;
import com.alipay.oasis.proto.Common;
import com.alipay.oasis.proto.gateway.Gateway;
import com.alipay.oasis.proto.serviceprovider.ServiceProvider;
import com.google.protobuf.ByteString;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.cert.X509CertificateHolder;

/* loaded from: input_file:com/alipay/oasis/client/challenger/step/RaGetAndVerifyIasEnclaveReport.class */
public class RaGetAndVerifyIasEnclaveReport {
    private static final Log LOGGER = LogFactory.getLog(RaGetAndVerifyIasEnclaveReport.class);
    private static final long SGX_FLAGS_DEBUG = 2;
    private static final String ROOT_CERTIFICATE = "-----BEGIN CERTIFICATE-----\nMIIFSzCCA7OgAwIBAgIJANEHdl0yo7CUMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV\nBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNV\nBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQDDCdJbnRlbCBTR1ggQXR0ZXN0\nYXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwIBcNMTYxMTE0MTUzNzMxWhgPMjA0OTEy\nMzEyMzU5NTlaMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL\nU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQD\nDCdJbnRlbCBTR1ggQXR0ZXN0YXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwggGiMA0G\nCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCfPGR+tXc8u1EtJzLA10Feu1Wg+p7e\nLmSRmeaCHbkQ1TF3Nwl3RmpqXkeGzNLd69QUnWovYyVSndEMyYc3sHecGgfinEeh\nrgBJSEdsSJ9FpaFdesjsxqzGRa20PYdnnfWcCTvFoulpbFR4VBuXnnVLVzkUvlXT\nL/TAnd8nIZk0zZkFJ7P5LtePvykkar7LcSQO85wtcQe0R1Raf/sQ6wYKaKmFgCGe\nNpEJUmg4ktal4qgIAxk+QHUxQE42sxViN5mqglB0QJdUot/o9a/V/mMeH8KvOAiQ\nbyinkNndn+Bgk5sSV5DFgF0DffVqmVMblt5p3jPtImzBIH0QQrXJq39AT8cRwP5H\nafuVeLHcDsRp6hol4P+ZFIhu8mmbI1u0hH3W/0C2BuYXB5PC+5izFFh/nP0lc2Lf\n6rELO9LZdnOhpL1ExFOq9H/B8tPQ84T3Sgb4nAifDabNt/zu6MmCGo5U8lwEFtGM\nRoOaX4AS+909x00lYnmtwsDVWv9vBiJCXRsCAwEAAaOByTCBxjBgBgNVHR8EWTBX\nMFWgU6BRhk9odHRwOi8vdHJ1c3RlZHNlcnZpY2VzLmludGVsLmNvbS9jb250ZW50\nL0NSTC9TR1gvQXR0ZXN0YXRpb25SZXBvcnRTaWduaW5nQ0EuY3JsMB0GA1UdDgQW\nBBR4Q3t2pn680K9+QjfrNXw7hwFRPDAfBgNVHSMEGDAWgBR4Q3t2pn680K9+Qjfr\nNXw7hwFRPDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq\nhkiG9w0BAQsFAAOCAYEAeF8tYMXICvQqeXYQITkV2oLJsp6J4JAqJabHWxYJHGir\nIEqucRiJSSx+HjIJEUVaj8E0QjEud6Y5lNmXlcjqRXaCPOqK0eGRz6hi+ripMtPZ\nsFNaBwLQVV905SDjAzDzNIDnrcnXyB4gcDFCvwDFKKgLRjOB/WAqgscDUoGq5ZVi\nzLUzTqiQPmULAQaB9c6Oti6snEFJiCQ67JLyW/E83/frzCmO5Ru6WjU4tmsmy8Ra\nUd4APK0wZTGtfPXU7w+IBdG5Ez0kE1qzxGQaL4gINJ1zMyleDnbuS8UicjJijvqA\n152Sq049ESDz+1rRGc2NVEqh1KaGXmtXvqxXcTB+Ljy5Bw2ke0v8iGngFBPqCTVB\n3op5KBG3RjbF6RRSzwzuWfL7QErNC8WEy5yDVARzTA5+xmBc388v9Dm21HGfcC8O\nDD+gT9sSpssq0ascmvH49MOgjt1yoysLtdCtJW/9FZpoOypaHx0R+mJTLwPXVMrv\nDaVzWh5aiEx+idkSGMnX\n-----END CERTIFICATE-----";

    public static List<Gateway.GatewayGetIasEnclaveReportResponse.EnclaveQuoteAndReport> getEnclaveQuoteAndReports(GatewayTrService gatewayTrService, Common.RequestHeader requestHeader, String str, List<String> list, String str2, boolean z) throws OasisServiceException {
        Gateway.GatewayGetIasEnclaveReportResponse iasEnclaveReport = gatewayTrService.getIasEnclaveReport(buildRequest(requestHeader, str, list, str2, z));
        if (iasEnclaveReport == null) {
            throw new UnexpectException("getIasEnclaveReport return null response");
        }
        ResponseHeader.validate(iasEnclaveReport.getHeader(), "getEnclaveReport failed.");
        return iasEnclaveReport.getEnclaveQuoteAndReportsList();
    }

    private static Gateway.GatewayGetIasEnclaveReportRequest buildRequest(Common.RequestHeader requestHeader, String str, List<String> list, String str2, boolean z) {
        Gateway.GatewayGetIasEnclaveReportRequest.Builder newBuilder = Gateway.GatewayGetIasEnclaveReportRequest.newBuilder();
        if (requestHeader == null) {
            requestHeader = ReqHeader.buildRequestHeader();
        }
        newBuilder.setHeader(requestHeader);
        Assert.notEmpty(str);
        newBuilder.setTopicId(str);
        if (list != null) {
            newBuilder.addAllClusterIds(list);
        }
        Assert.notEmpty(str2);
        newBuilder.setNonce(str2);
        newBuilder.setUseDevelopCertificate(z);
        return newBuilder.build();
    }

    public static boolean verifyEnclaveQuoteAndReport(Gateway.GatewayGetIasEnclaveReportResponse.EnclaveQuoteAndReport enclaveQuoteAndReport, String str, boolean z) {
        return verifyEnclaveQuoteAndReport(enclaveQuoteAndReport, str, z, null, null, ROOT_CERTIFICATE);
    }

    public static boolean verifyEnclaveQuoteAndReport(Gateway.GatewayGetIasEnclaveReportResponse.EnclaveQuoteAndReport enclaveQuoteAndReport, String str, boolean z, String str2, TrustedEnclaveLoaderInterface trustedEnclaveLoaderInterface) {
        return verifyEnclaveQuoteAndReport(enclaveQuoteAndReport, str, z, str2, trustedEnclaveLoaderInterface, ROOT_CERTIFICATE);
    }

    public static boolean verifyEnclaveQuoteAndReport(Gateway.GatewayGetIasEnclaveReportResponse.EnclaveQuoteAndReport enclaveQuoteAndReport, String str, boolean z, String str2, TrustedEnclaveLoaderInterface trustedEnclaveLoaderInterface, String str3) {
        try {
            Gateway.GatewayGetIasEnclaveReportResponse.EnclaveQuoteAndReport.AttestationVerificationReport report = enclaveQuoteAndReport.getReport();
            enclaveQuoteAndReport.getEnclaveQuoteEntry();
            verifyCertChain(new String(report.getXIasreportSigningCertificate().toByteArray()), str3);
            verifyCertSignature(report.getXIasreportSigningCertificate().toStringUtf8(), report.getXIasreportSignature(), report.getReport());
            ServiceProvider.IasReport iasReport = (ServiceProvider.IasReport) PbJson.json2pb((JSONObject) JSONObject.parse(report.getReport()), ServiceProvider.IasReport.class);
            verifyReportNonce(iasReport.getNonce(), str);
            ServiceProvider.IsvEnclaveQuoteBody parse = IsvEnclaveQuoteBodyParser.parse(Base64.getDecoder().decode(iasReport.getIsvEnclaveQuoteBody()));
            verifyEnclaveRelease(parse, z);
            if (str2 == null || trustedEnclaveLoaderInterface == null) {
                return true;
            }
            verifyEnclaveVersion(parse, str2, trustedEnclaveLoaderInterface);
            return true;
        } catch (Exception e) {
            LOGGER.warn("verify enclaveQuoteAndReport Fail", e);
            return false;
        }
    }

    private static void verifyCertChain(String str, String str2) throws UnexpectException, UnsupportedEncodingException, AssertException, CertificateVerificationException, NoSuchAlgorithmException, NoSuchProviderException, CertificateException {
        try {
            List<X509Certificate> stringToX509CertChain = CertUtil.stringToX509CertChain(str);
            if (stringToX509CertChain.size() == 0) {
                throw new CertificateVerificationException("RaFetchVerificationReport.verifyCertChain certs is empty");
            }
            int size = stringToX509CertChain.size() - 1;
            if (CertVerifier.isSelfSigned(stringToX509CertChain.get(size))) {
                stringToX509CertChain.remove(size);
            }
            stringToX509CertChain.add(CertUtil.stringToX509Cert(str2));
            CertVerifier.verifyCertChain(stringToX509CertChain, false);
        } catch (Exception e) {
            LOGGER.warn("RaFetchVerificationReport.verifyCertChain failed", e);
            throw e;
        }
    }

    private static void verifyCertSignature(String str, ByteString byteString, String str2) {
        List<X509CertificateHolder> loadX509CertChainHolder = CertUtil.loadX509CertChainHolder(str);
        Assert.isTrue(loadX509CertChainHolder.size() == 2, "Cert Chain Size is Not 2");
        Rsa2048PublicKey rsa2048PublicKey = new Rsa2048PublicKey(CertUtil.getCertPublicKey(loadX509CertChainHolder.get(0)));
        Rsa2048Signature rsa2048Signature = new Rsa2048Signature();
        rsa2048Signature.setSignature(byteString.toByteArray());
        CryptoData cryptoData = new CryptoData();
        cryptoData.setData(str2);
        CryptoUtil.rsaVerify(rsa2048PublicKey, cryptoData, rsa2048Signature);
    }

    private static void verifyReportNonce(String str, String str2) {
        Assert.isTrue(str.equals(str2), "RealNonce Not Equal to ExpectedNonce");
    }

    private static void verifyEnclaveRelease(ServiceProvider.IsvEnclaveQuoteBody isvEnclaveQuoteBody, boolean z) {
        Assert.isTrue((((SGX_FLAGS_DEBUG & isvEnclaveQuoteBody.getReportBody().getAttributes().getFlags()) > 0L ? 1 : ((SGX_FLAGS_DEBUG & isvEnclaveQuoteBody.getReportBody().getAttributes().getFlags()) == 0L ? 0 : -1)) != 0) == z, "Expected Enclave Debug Not Equal Real Debug Enclave Flag");
    }

    private static void verifyEnclaveVersion(ServiceProvider.IsvEnclaveQuoteBody isvEnclaveQuoteBody, String str, TrustedEnclaveLoaderInterface trustedEnclaveLoaderInterface) {
        byte[] byteArray = isvEnclaveQuoteBody.getReportBody().getMrEnclave().getM().toByteArray();
        Assert.isTrue(trustedEnclaveLoaderInterface.containTrustedEnclave(str, byteArray), "Current Enclave Does Not Trusted: " + Base64.getEncoder().encodeToString(byteArray));
    }
}
