package io.mosip.kernel.signature.service.impl;

import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.pdfgenerator.model.Rectangle;
import io.mosip.kernel.core.pdfgenerator.spi.PDFGenerator;
import io.mosip.kernel.core.signatureutil.model.SignatureResponse;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.core.util.JsonUtils;
import io.mosip.kernel.core.util.exception.JsonMappingException;
import io.mosip.kernel.core.util.exception.JsonParseException;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerErrorConstant;
import io.mosip.kernel.keymanagerservice.dto.SignatureCertificate;
import io.mosip.kernel.keymanagerservice.exception.KeymanagerServiceException;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import io.mosip.kernel.partnercertservice.dto.CertificateTrustRequestDto;
import io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService;
import io.mosip.kernel.signature.constant.SignatureConstant;
import io.mosip.kernel.signature.constant.SignatureErrorCode;
import io.mosip.kernel.signature.dto.JWTSignatureRequestDto;
import io.mosip.kernel.signature.dto.JWTSignatureResponseDto;
import io.mosip.kernel.signature.dto.JWTSignatureVerifyRequestDto;
import io.mosip.kernel.signature.dto.JWTSignatureVerifyResponseDto;
import io.mosip.kernel.signature.dto.PDFSignatureRequestDto;
import io.mosip.kernel.signature.dto.SignRequestDto;
import io.mosip.kernel.signature.dto.SignatureRequestDto;
import io.mosip.kernel.signature.dto.SignatureResponseDto;
import io.mosip.kernel.signature.dto.TimestampRequestDto;
import io.mosip.kernel.signature.dto.ValidatorResponseDto;
import io.mosip.kernel.signature.exception.PublicKeyParseException;
import io.mosip.kernel.signature.exception.RequestException;
import io.mosip.kernel.signature.exception.SignatureFailureException;
import io.mosip.kernel.signature.service.SignatureService;
import io.mosip.kernel.signature.util.SignatureUtil;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.SecretKey;
import org.apache.commons.codec.binary.Base64;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.CompactSerializer;
import org.jose4j.lang.JoseException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:io/mosip/kernel/signature/service/impl/SignatureServiceImpl.class */
public class SignatureServiceImpl implements SignatureService {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(SignatureServiceImpl.class);

    @Autowired
    private KeymanagerService keymanagerService;

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    @Value("${mosip.kernel.keygenerator.asymmetric-algorithm-name}")
    private String asymmetricAlgorithmName;

    @Value("${mosip.sign.applicationid:KERNEL}")
    private String signApplicationid;

    @Value("${mosip.sign.refid:SIGN}")
    private String signRefid;

    @Value("${mosip.kernel.crypto.sign-algorithm-name:RS256}")
    private String signAlgorithm;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    private PDFGenerator pdfGenerator;

    @Autowired
    PartnerCertificateManagerService partnerCertManagerService;

    @Override // io.mosip.kernel.signature.service.SignatureService
    public SignatureResponse sign(SignRequestDto signRequestDto) {
        SignatureRequestDto signatureRequestDto = new SignatureRequestDto();
        signatureRequestDto.setApplicationId(this.signApplicationid);
        signatureRequestDto.setReferenceId(this.signRefid);
        signatureRequestDto.setData(signRequestDto.getData());
        String uTCCurrentDateTimeString = DateUtils.getUTCCurrentDateTimeString();
        signatureRequestDto.setTimeStamp(uTCCurrentDateTimeString);
        return new SignatureResponse(sign(signatureRequestDto).getData(), DateUtils.convertUTCToLocalDateTime(uTCCurrentDateTimeString));
    }

    private SignatureResponseDto sign(SignatureRequestDto signatureRequestDto) {
        SignatureCertificate signatureCertificate = this.keymanagerService.getSignatureCertificate(signatureRequestDto.getApplicationId(), Optional.of(signatureRequestDto.getReferenceId()), signatureRequestDto.getTimeStamp());
        this.keymanagerUtil.isCertificateValid(signatureCertificate.getCertificateEntry(), DateUtils.parseUTCToDate(signatureRequestDto.getTimeStamp()));
        String str = null;
        if (signatureCertificate.getCertificateEntry() != null) {
            str = (String) this.cryptoCore.sign(signatureRequestDto.getData().getBytes(), (PrivateKey) signatureCertificate.getCertificateEntry().getPrivateKey());
        }
        return new SignatureResponseDto(str);
    }

    @Override // io.mosip.kernel.signature.service.SignatureService
    public ValidatorResponseDto validate(TimestampRequestDto timestampRequestDto) {
        try {
            if (!this.cryptoCore.verifySignature(timestampRequestDto.getData().getBytes(), timestampRequestDto.getSignature(), KeyFactory.getInstance(this.asymmetricAlgorithmName).generatePublic(new X509EncodedKeySpec(CryptoUtil.decodeBase64(this.keymanagerService.getSignPublicKey(this.signApplicationid, DateUtils.formatToISOString(timestampRequestDto.getTimestamp()), Optional.of(this.signRefid)).getPublicKey()))))) {
                throw new SignatureFailureException(SignatureErrorCode.NOT_VALID.getErrorCode(), SignatureErrorCode.NOT_VALID.getErrorMessage(), null);
            }
            ValidatorResponseDto validatorResponseDto = new ValidatorResponseDto();
            validatorResponseDto.setMessage(SignatureConstant.VALIDATION_SUCCESSFUL);
            validatorResponseDto.setStatus(SignatureConstant.SUCCESS);
            return validatorResponseDto;
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new PublicKeyParseException(SignatureErrorCode.INTERNAL_SERVER_ERROR.getErrorCode(), e.getMessage(), e);
        }
    }

    @Override // io.mosip.kernel.signature.service.SignatureService
    public SignatureResponseDto signPDF(PDFSignatureRequestDto pDFSignatureRequestDto) {
        SignatureCertificate signatureCertificate = this.keymanagerService.getSignatureCertificate(pDFSignatureRequestDto.getApplicationId(), Optional.of(pDFSignatureRequestDto.getReferenceId()), pDFSignatureRequestDto.getTimeStamp());
        LOGGER.debug(KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, "Signature fetched from hsm " + signatureCertificate);
        Rectangle rectangle = new Rectangle(pDFSignatureRequestDto.getLowerLeftX(), pDFSignatureRequestDto.getLowerLeftY(), pDFSignatureRequestDto.getUpperRightX(), pDFSignatureRequestDto.getUpperRightY());
        try {
            String providerName = signatureCertificate.getProviderName();
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, " Keystore Provider Name found: " + providerName);
            Arrays.stream(Security.getProviders()).forEach(provider -> {
                LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, "provider name " + provider.getName());
                LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, "provider info " + provider.getInfo());
            });
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, KeymanagerConstant.SESSIONID, "all providers ");
            OutputStream signAndEncryptPDF = this.pdfGenerator.signAndEncryptPDF(CryptoUtil.decodeBase64(pDFSignatureRequestDto.getData()), rectangle, pDFSignatureRequestDto.getReason(), pDFSignatureRequestDto.getPageNumber(), Security.getProvider(providerName), signatureCertificate.getCertificateEntry(), pDFSignatureRequestDto.getPassword());
            SignatureResponseDto signatureResponseDto = new SignatureResponseDto();
            signatureResponseDto.setData(CryptoUtil.encodeBase64(((ByteArrayOutputStream) signAndEncryptPDF).toByteArray()));
            return signatureResponseDto;
        } catch (IOException | GeneralSecurityException e) {
            throw new KeymanagerServiceException(KeymanagerErrorConstant.INTERNAL_SERVER_ERROR.getErrorCode(), KeymanagerErrorConstant.INTERNAL_SERVER_ERROR.getErrorMessage() + " " + e.getMessage());
        }
    }

    @Override // io.mosip.kernel.signature.service.SignatureService
    public JWTSignatureResponseDto jwtSign(JWTSignatureRequestDto jWTSignatureRequestDto) {
        LOGGER.info(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "JWT Signature Request.");
        String dataToSign = jWTSignatureRequestDto.getDataToSign();
        if (!SignatureUtil.isDataValid(dataToSign)) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Provided Data to sign value is invalid.");
            throw new RequestException(SignatureErrorCode.INVALID_INPUT.getErrorCode(), SignatureErrorCode.INVALID_INPUT.getErrorMessage());
        }
        String str = new String(CryptoUtil.decodeBase64(dataToSign));
        if (!SignatureUtil.isJsonValid(str)) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Provided Data to sign value is invalid JSON.");
            throw new RequestException(SignatureErrorCode.INVALID_JSON.getErrorCode(), SignatureErrorCode.INVALID_JSON.getErrorMessage());
        }
        String uTCCurrentDateTimeString = DateUtils.getUTCCurrentDateTimeString();
        String applicationId = jWTSignatureRequestDto.getApplicationId();
        String referenceId = jWTSignatureRequestDto.getReferenceId();
        if (!this.keymanagerUtil.isValidApplicationId(applicationId)) {
            applicationId = this.signApplicationid;
            referenceId = this.signRefid;
        }
        boolean isIncludeAttrsValid = SignatureUtil.isIncludeAttrsValid(jWTSignatureRequestDto.getIncludePayload());
        boolean isIncludeAttrsValid2 = SignatureUtil.isIncludeAttrsValid(jWTSignatureRequestDto.getIncludeCertificate());
        boolean isIncludeAttrsValid3 = SignatureUtil.isIncludeAttrsValid(jWTSignatureRequestDto.getIncludeCertHash());
        String certificateUrl = SignatureUtil.isDataValid(jWTSignatureRequestDto.getCertificateUrl()) ? jWTSignatureRequestDto.getCertificateUrl() : null;
        SignatureCertificate signatureCertificate = this.keymanagerService.getSignatureCertificate(applicationId, Optional.of(referenceId), uTCCurrentDateTimeString);
        this.keymanagerUtil.isCertificateValid(signatureCertificate.getCertificateEntry(), DateUtils.parseUTCToDate(uTCCurrentDateTimeString));
        String sign = sign(str, signatureCertificate, isIncludeAttrsValid, isIncludeAttrsValid2, isIncludeAttrsValid3, certificateUrl);
        JWTSignatureResponseDto jWTSignatureResponseDto = new JWTSignatureResponseDto();
        jWTSignatureResponseDto.setJwtSignedData(sign);
        jWTSignatureResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return jWTSignatureResponseDto;
    }

    private String sign(String str, SignatureCertificate signatureCertificate, boolean z, boolean z2, boolean z3, String str2) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        PrivateKey privateKey = (PrivateKey) signatureCertificate.getCertificateEntry().getPrivateKey();
        X509Certificate x509Certificate = ((X509Certificate[]) signatureCertificate.getCertificateEntry().getChain())[0];
        if (z2) {
            jsonWebSignature.setCertificateChainHeaderValue(new X509Certificate[]{x509Certificate});
        }
        if (z3) {
            jsonWebSignature.setX509CertSha256ThumbprintHeaderValue(x509Certificate);
        }
        if (Objects.nonNull(str2)) {
            jsonWebSignature.setHeader("x5u", str2);
        }
        jsonWebSignature.setPayload(str);
        jsonWebSignature.setAlgorithmHeaderValue(this.signAlgorithm);
        jsonWebSignature.setKey(privateKey);
        jsonWebSignature.setDoKeyValidation(false);
        try {
            return z ? jsonWebSignature.getCompactSerialization() : jsonWebSignature.getDetachedContentCompactSerialization();
        } catch (JoseException e) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Error occurred while Signing Data.");
            throw new SignatureFailureException(SignatureErrorCode.SIGN_ERROR.getErrorCode(), SignatureErrorCode.SIGN_ERROR.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.signature.service.SignatureService
    public JWTSignatureVerifyResponseDto jwtVerify(JWTSignatureVerifyRequestDto jWTSignatureVerifyRequestDto) {
        String jwtSignatureData = jWTSignatureVerifyRequestDto.getJwtSignatureData();
        if (!SignatureUtil.isDataValid(jwtSignatureData)) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Provided Signed Data value is invalid.");
            throw new RequestException(SignatureErrorCode.INVALID_INPUT.getErrorCode(), SignatureErrorCode.INVALID_INPUT.getErrorMessage());
        }
        String actualData = SignatureUtil.isDataValid(jWTSignatureVerifyRequestDto.getActualData()) ? jWTSignatureVerifyRequestDto.getActualData() : null;
        String certificateData = SignatureUtil.isDataValid(jWTSignatureVerifyRequestDto.getCertificateData()) ? jWTSignatureVerifyRequestDto.getCertificateData() : null;
        String applicationId = jWTSignatureVerifyRequestDto.getApplicationId();
        String referenceId = jWTSignatureVerifyRequestDto.getReferenceId();
        if (!this.keymanagerUtil.isValidApplicationId(applicationId)) {
            applicationId = this.signApplicationid;
            referenceId = this.signRefid;
        }
        String[] split = jwtSignatureData.split(SignatureConstant.PERIOD, -1);
        Certificate certificateExistsInHeader = certificateExistsInHeader(split[0]);
        boolean verifySignature = Objects.nonNull(certificateExistsInHeader) ? verifySignature(split, actualData, certificateExistsInHeader.getPublicKey()) : verifySignature(split, actualData, getCertificateToVerify(certificateData, applicationId, referenceId).getPublicKey());
        JWTSignatureVerifyResponseDto jWTSignatureVerifyResponseDto = new JWTSignatureVerifyResponseDto();
        jWTSignatureVerifyResponseDto.setSignatureValid(verifySignature);
        jWTSignatureVerifyResponseDto.setMessage(verifySignature ? SignatureConstant.VALIDATION_SUCCESSFUL : SignatureConstant.VALIDATION_FAILED);
        jWTSignatureVerifyResponseDto.setTrustValid(validateTrust(jWTSignatureVerifyRequestDto, certificateExistsInHeader, certificateData));
        return jWTSignatureVerifyResponseDto;
    }

    private Certificate getCertificateToVerify(String str, String str2, String str3) {
        if (str != null) {
            return this.keymanagerUtil.convertToCertificate(str);
        }
        return ((X509Certificate[]) this.keymanagerService.getSignatureCertificate(str2, Optional.of(str3), DateUtils.getUTCCurrentDateTimeString()).getCertificateEntry().getChain())[0];
    }

    private Certificate certificateExistsInHeader(String str) {
        try {
            Map jsonStringToJavaMap = JsonUtils.jsonStringToJavaMap(new String(CryptoUtil.decodeBase64(str)));
            if (!jsonStringToJavaMap.containsKey(SignatureConstant.JWT_HEADER_CERT_KEY)) {
                LOGGER.info(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Certificate not found in JWT Header.");
                return null;
            }
            LOGGER.info(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Certificate found in JWT Header.");
            return this.keymanagerUtil.convertToCertificate(Base64.decodeBase64((String) ((List) jsonStringToJavaMap.get(SignatureConstant.JWT_HEADER_CERT_KEY)).get(0)));
        } catch (JsonParseException | JsonMappingException | io.mosip.kernel.core.exception.IOException e) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Provided Signed Data value is invalid.");
            throw new RequestException(SignatureErrorCode.INVALID_VERIFY_INPUT.getErrorCode(), SignatureErrorCode.INVALID_VERIFY_INPUT.getErrorMessage());
        }
    }

    private boolean verifySignature(String[] strArr, String str, PublicKey publicKey) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        try {
            if (Objects.nonNull(str)) {
                strArr[1] = str;
            }
            jsonWebSignature.setCompactSerialization(CompactSerializer.serialize(strArr));
            if (Objects.nonNull(publicKey)) {
                jsonWebSignature.setKey(publicKey);
            }
            return jsonWebSignature.verifySignature();
        } catch (ArrayIndexOutOfBoundsException | JoseException e) {
            LOGGER.error(SignatureConstant.SESSIONID, SignatureConstant.JWT_SIGN, "", "Provided Signed Data value is invalid.");
            throw new SignatureFailureException(SignatureErrorCode.VERIFY_ERROR.getErrorCode(), SignatureErrorCode.VERIFY_ERROR.getErrorMessage(), e);
        }
    }

    private String validateTrust(JWTSignatureVerifyRequestDto jWTSignatureVerifyRequestDto, Certificate certificate, String str) {
        if (!SignatureUtil.isIncludeAttrsValid(jWTSignatureVerifyRequestDto.getValidateTrust())) {
            return SignatureConstant.TRUST_NOT_VERIFIED;
        }
        String domain = jWTSignatureVerifyRequestDto.getDomain();
        if (!SignatureUtil.isDataValid(domain)) {
            return SignatureConstant.TRUST_NOT_VERIFIED_NO_DOMAIN;
        }
        String str2 = null;
        if (Objects.nonNull(certificate)) {
            str2 = this.keymanagerUtil.getPEMFormatedData(certificate);
        }
        String str3 = str2 == null ? str : str2;
        if (str3 == null) {
            return SignatureConstant.TRUST_NOT_VERIFIED;
        }
        CertificateTrustRequestDto certificateTrustRequestDto = new CertificateTrustRequestDto();
        certificateTrustRequestDto.setCertificateData(str3);
        certificateTrustRequestDto.setPartnerDomain(domain);
        return this.partnerCertManagerService.verifyCertificateTrust(certificateTrustRequestDto).getStatus().booleanValue() ? SignatureConstant.TRUST_VALID : SignatureConstant.TRUST_NOT_VALID;
    }
}
