package io.mosip.kernel.partnercertservice.service.impl;

import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.keymanager.hsm.util.CertificateUtility;
import io.mosip.kernel.keymanagerservice.dto.SignatureCertificate;
import io.mosip.kernel.keymanagerservice.entity.PartnerCertificateStore;
import io.mosip.kernel.keymanagerservice.helper.KeymanagerDBHelper;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerConstants;
import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerErrorConstants;
import io.mosip.kernel.partnercertservice.dto.CACertificateRequestDto;
import io.mosip.kernel.partnercertservice.dto.CACertificateResponseDto;
import io.mosip.kernel.partnercertservice.dto.CertificateTrustRequestDto;
import io.mosip.kernel.partnercertservice.dto.CertificateTrustResponeDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertDownloadRequestDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertDownloadResponeDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertificateRequestDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertificateResponseDto;
import io.mosip.kernel.partnercertservice.exception.PartnerCertManagerException;
import io.mosip.kernel.partnercertservice.helper.PartnerCertManagerDBHelper;
import io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService;
import io.mosip.kernel.partnercertservice.util.PartnerCertificateManagerUtil;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Service
/* loaded from: input_file:io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.class */
public class PartnerCertificateManagerServiceImpl implements PartnerCertificateManagerService {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(PartnerCertificateManagerServiceImpl.class);

    @Value("${mosip.kernel.partner.sign.masterkey.application.id}")
    private String masterSignKeyAppId;

    @Value("${mosip.kernel.partner.allowed.domains}")
    private String partnerAllowedDomains;

    @Value("${mosip.kernel.certificate.sign.algorithm:SHA256withRSA}")
    private String signAlgorithm;

    @Value("${mosip.kernel.partner.issuer.certificate.duration.years:1}")
    private int issuerCertDuration;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    PartnerCertManagerDBHelper certDBHelper;

    @Autowired
    private KeymanagerDBHelper dbHelper;

    @Autowired
    private KeyStore keyStore;

    @Autowired
    private KeymanagerService keymanagerService;

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public CACertificateResponseDto uploadCACertificate(CACertificateRequestDto cACertificateRequestDto) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Uploading CA/Sub-CA Certificate.");
        String certificateData = cACertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Invalid Certificate Data provided to upload the ca/sub-ca certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        String certificateThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(x509Certificate);
        String validateAllowedDomains = validateAllowedDomains(cACertificateRequestDto.getPartnerDomain());
        validateBasicCACertParams(x509Certificate, certificateThumbprint, validateAllowedDomains);
        String formatCertificateDN = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getSubjectX500Principal().getName());
        String formatCertificateDN2 = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getIssuerX500Principal().getName());
        if (PartnerCertificateManagerUtil.isSelfSignedCertificate(x509Certificate)) {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Adding Self-signed Certificate in store.");
            String uuid = UUID.randomUUID().toString();
            this.certDBHelper.storeCACertificate(uuid, formatCertificateDN, formatCertificateDN2, uuid, x509Certificate, certificateThumbprint, validateAllowedDomains);
        } else {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Adding Intermediate Certificates in store.");
            if (!validateCertificatePath(x509Certificate, validateAllowedDomains)) {
                LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Sub-CA Certificate not allowed to upload as root CA is not available.");
                throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.ROOT_CA_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.ROOT_CA_NOT_FOUND.getErrorMessage());
            }
            String issuerCertId = this.certDBHelper.getIssuerCertId(formatCertificateDN2);
            this.certDBHelper.storeCACertificate(UUID.randomUUID().toString(), formatCertificateDN, formatCertificateDN2, issuerCertId, x509Certificate, certificateThumbprint, validateAllowedDomains);
        }
        CACertificateResponseDto cACertificateResponseDto = new CACertificateResponseDto();
        cACertificateResponseDto.setStatus(PartnerCertManagerConstants.SUCCESS_UPLOAD);
        cACertificateResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return cACertificateResponseDto;
    }

    private void validateBasicCACertParams(X509Certificate x509Certificate, String str, String str2) {
        if (this.certDBHelper.isCertificateExist(str, str2)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "CA/sub-CA certificate already exists in Store.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage());
        }
        if (PartnerCertificateManagerUtil.isCertificateDatesValid(x509Certificate)) {
            return;
        }
        LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Certificate Dates are not valid.");
        throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
    }

    private String validateAllowedDomains(String str) {
        return ((String) Stream.of((Object[]) this.partnerAllowedDomains.split(PartnerCertManagerConstants.COMMA)).map((v0) -> {
            return v0.trim();
        }).filter(str2 -> {
            return str2.equalsIgnoreCase(str);
        }).findFirst().orElseThrow(() -> {
            return new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_PARTNER_DOMAIN.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_PARTNER_DOMAIN.getErrorMessage());
        })).toUpperCase();
    }

    private boolean validateCertificatePath(X509Certificate x509Certificate, String str) {
        try {
            Map<String, Set<?>> trustAnchors = this.certDBHelper.getTrustAnchors(str);
            Set<?> set = trustAnchors.get(PartnerCertManagerConstants.TRUST_ROOT);
            Set<?> set2 = trustAnchors.get(PartnerCertManagerConstants.TRUST_INTER);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) set, (CertSelector) x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
            return true;
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException e) {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Ignore this exception, the exception thrown when trust validation failed.");
            return false;
        }
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public PartnerCertificateResponseDto uploadPartnerCertificate(PartnerCertificateRequestDto partnerCertificateRequestDto) {
        String certificateData = partnerCertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate Data provided to upload the partner certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        String certificateThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(x509Certificate);
        String organizationName = partnerCertificateRequestDto.getOrganizationName();
        String validateAllowedDomains = validateAllowedDomains(partnerCertificateRequestDto.getPartnerDomain());
        validateBasicPartnerCertParams(x509Certificate, certificateThumbprint, organizationName, validateAllowedDomains);
        String formatCertificateDN = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getSubjectX500Principal().getName());
        String formatCertificateDN2 = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getIssuerX500Principal().getName());
        String issuerCertId = this.certDBHelper.getIssuerCertId(formatCertificateDN2);
        String uuid = UUID.randomUUID().toString();
        String pEMFormatedData = this.keymanagerUtil.getPEMFormatedData(reSignPartnerKey(x509Certificate));
        this.certDBHelper.storePartnerCertificate(uuid, formatCertificateDN, formatCertificateDN2, issuerCertId, x509Certificate, certificateThumbprint, organizationName, validateAllowedDomains, pEMFormatedData);
        PartnerCertificateResponseDto partnerCertificateResponseDto = new PartnerCertificateResponseDto();
        partnerCertificateResponseDto.setCertificateId(uuid);
        partnerCertificateResponseDto.setSignedCertificateData(pEMFormatedData);
        partnerCertificateResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return partnerCertificateResponseDto;
    }

    private void validateBasicPartnerCertParams(X509Certificate x509Certificate, String str, String str2, String str3) {
        if (this.certDBHelper.isPartnerCertificateExist(str, str3)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner certificate already exists in Store.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage());
        }
        if (!PartnerCertificateManagerUtil.isCertificateDatesValid(x509Certificate)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Certificate Dates are not valid.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
        }
        if (!validateCertificatePath(x509Certificate, str3)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate not allowed to upload as root CA/Intermediate CAs are not available.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorMessage());
        }
        if (x509Certificate.getVersion() != 3) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate version not valid, the version has to be V3");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorMessage());
        }
        if (!PartnerCertificateManagerUtil.getCertificateOrgName(x509Certificate.getSubjectX500Principal()).equals(str2)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate Organization and Partner Organization Name not matching.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.PARTNER_ORG_NOT_MATCH.getErrorCode(), PartnerCertManagerErrorConstants.PARTNER_ORG_NOT_MATCH.getErrorMessage());
        }
        if (x509Certificate.getPublicKey().getAlgorithm().equalsIgnoreCase("RSA") && ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength() < 2048) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate key is less than allowed size.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_KEY_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.CERT_KEY_NOT_ALLOWED.getErrorMessage());
        }
        if (x509Certificate.getSigAlgName().toUpperCase().startsWith(PartnerCertManagerConstants.HASH_SHA2)) {
            return;
        }
        LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Signature Algorithm not supported.");
        throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_SIGNATURE_ALGO_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.CERT_SIGNATURE_ALGO_NOT_ALLOWED.getErrorMessage());
    }

    private X509Certificate reSignPartnerKey(X509Certificate x509Certificate) {
        SignatureCertificate signatureCertificate = this.keymanagerService.getSignatureCertificate(this.masterSignKeyAppId, Optional.of(""), DateUtils.getUTCCurrentDateTimeString());
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "KeyAlias", "Found Master Key Alias: " + signatureCertificate.getAlias());
        PrivateKey privateKey = (PrivateKey) signatureCertificate.getCertificateEntry().getPrivateKey();
        X500Principal subjectX500Principal = ((X509Certificate[]) signatureCertificate.getCertificateEntry().getChain())[0].getSubjectX500Principal();
        X500Principal subjectX500Principal2 = x509Certificate.getSubjectX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        int i = PartnerCertManagerConstants.YEAR_DAYS * this.issuerCertDuration;
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "Cert Duration", "Calculated Signed Certficiate Number of Days for expire: " + i);
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        return CertificateUtility.generateX509Certificate(privateKey, publicKey, PartnerCertificateManagerUtil.getCertificateParameters(subjectX500Principal2, uTCCurrentDateTime, uTCCurrentDateTime.plus(i, (TemporalUnit) ChronoUnit.DAYS)), subjectX500Principal, this.signAlgorithm, this.keyStore.getKeystoreProviderName());
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public PartnerCertDownloadResponeDto getPartnerCertificate(PartnerCertDownloadRequestDto partnerCertDownloadRequestDto) {
        String partnerCertId = partnerCertDownloadRequestDto.getPartnerCertId();
        if (!PartnerCertificateManagerUtil.isValidCertificateID(partnerCertId)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate ID provided to get the partner certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorMessage());
        }
        PartnerCertificateStore partnetCert = this.certDBHelper.getPartnetCert(partnerCertId);
        if (Objects.isNull(partnetCert)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate ID not found.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.PARTNER_CERT_ID_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.PARTNER_CERT_ID_NOT_FOUND.getErrorMessage());
        }
        PartnerCertDownloadResponeDto partnerCertDownloadResponeDto = new PartnerCertDownloadResponeDto();
        partnerCertDownloadResponeDto.setCertificateData(partnetCert.getSignedCertData());
        partnerCertDownloadResponeDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return partnerCertDownloadResponeDto;
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public CertificateTrustResponeDto verifyCertificateTrust(CertificateTrustRequestDto certificateTrustRequestDto) {
        String certificateData = certificateTrustRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate Data provided to verify partner certificate trust.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        boolean validateCertificatePath = validateCertificatePath((X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData), validateAllowedDomains(certificateTrustRequestDto.getPartnerDomain()));
        CertificateTrustResponeDto certificateTrustResponeDto = new CertificateTrustResponeDto();
        certificateTrustResponeDto.setStatus(Boolean.valueOf(validateCertificatePath));
        return certificateTrustResponeDto;
    }
}
