package io.mosip.kernel.clientcrypto.service.impl;

import io.mosip.kernel.clientcrypto.constant.ClientCryptoErrorConstants;
import io.mosip.kernel.clientcrypto.constant.ClientCryptoManagerConstant;
import io.mosip.kernel.clientcrypto.exception.ClientCryptoException;
import io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService;
import io.mosip.kernel.core.exception.ExceptionUtils;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.cryptomanager.constant.CryptomanagerConstant;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerConstants;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.NoSuchAlgorithmException;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import org.junit.Assert;
import tss.Helpers;
import tss.Tpm;
import tss.TpmDeviceLinux;
import tss.TpmDeviceTbs;
import tss.TpmFactory;
import tss.tpm.CreatePrimaryResponse;
import tss.tpm.TPM2B_PUBLIC_KEY_RSA;
import tss.tpm.TPMA_OBJECT;
import tss.tpm.TPMS_ENC_SCHEME_OAEP;
import tss.tpm.TPMS_NULL_ASYM_SCHEME;
import tss.tpm.TPMS_NULL_SIG_SCHEME;
import tss.tpm.TPMS_PCR_SELECTION;
import tss.tpm.TPMS_RSA_PARMS;
import tss.tpm.TPMS_SENSITIVE_CREATE;
import tss.tpm.TPMS_SIGNATURE_RSASSA;
import tss.tpm.TPMS_SIG_SCHEME_RSASSA;
import tss.tpm.TPMT_HA;
import tss.tpm.TPMT_PUBLIC;
import tss.tpm.TPMT_SYM_DEF_OBJECT;
import tss.tpm.TPMT_TK_HASHCHECK;
import tss.tpm.TPM_ALG_ID;
import tss.tpm.TPM_HANDLE;
import tss.tpm.TPM_RH;

/* loaded from: input_file:io/mosip/kernel/clientcrypto/service/impl/TPMClientCryptoServiceImpl.class */
class TPMClientCryptoServiceImpl implements ClientCryptoService {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(TPMClientCryptoServiceImpl.class);
    private static final byte[] NULL_VECTOR = new byte[0];
    private static byte[] label = Helpers.concatenate(Charset.forName("UTF-8").encode(new String(NULL_VECTOR)).array(), new byte[]{0});
    private static Tpm tpm;
    private static CreatePrimaryResponse signingPrimaryResponse;
    private static CreatePrimaryResponse encPrimaryResponse;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TPMClientCryptoServiceImpl() throws Throwable {
        LOGGER.debug(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "TPMClientCryptoServiceImpl constructor invoked");
        if (tpm == null) {
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Instantiating Platform TPM");
            tpm = TpmFactory.platformTpm();
            if (!isKernelModeTRM()) {
                LOGGER.warn(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "UNABLE TO CONNECT TO KERNEL/SYSTEM TPM RESOURCE MANAGER");
                tpm = null;
            }
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Completed getting the instance of Platform TPM");
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] signData(byte[] bArr) throws ClientCryptoException {
        TPMS_SIGNATURE_RSASSA Sign;
        try {
            Assert.assertNotNull(tpm);
            CreatePrimaryResponse createSigningKey = createSigningKey();
            synchronized (tpm) {
                Sign = tpm.Sign(createSigningKey.handle, TPMT_HA.fromHashOf(TPM_ALG_ID.SHA256, bArr).digest, new TPMS_NULL_SIG_SCHEME(), TPMT_TK_HASHCHECK.nullTicket());
            }
            Assert.assertNotNull(Sign);
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Completed Signing data using TPM");
            return Sign.sig;
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public boolean validateSignature(byte[] bArr, byte[] bArr2) throws ClientCryptoException {
        return validateSignature(getSigningPublicPart(), bArr, bArr2);
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] asymmetricEncrypt(byte[] bArr) throws ClientCryptoException {
        try {
            return asymmetricEncrypt(createRSAKey().outPublic.toTpm(), bArr);
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] asymmetricDecrypt(byte[] bArr) throws ClientCryptoException {
        byte[] RSA_Decrypt;
        try {
            Assert.assertNotNull(tpm);
            CreatePrimaryResponse createRSAKey = createRSAKey();
            synchronized (tpm) {
                RSA_Decrypt = tpm.RSA_Decrypt(createRSAKey.handle, bArr, new TPMS_NULL_ASYM_SCHEME(), label);
            }
            return RSA_Decrypt;
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] getSigningPublicPart() throws ClientCryptoException {
        try {
            return createSigningKey().outPublic.toTpm();
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public synchronized void closeSecurityInstance() {
        try {
            if (tpm != null) {
                tpm.close();
            }
        } catch (IOException e) {
            LOGGER.error(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", ExceptionUtils.getStackTrace(e));
        }
    }

    public static synchronized byte[] generateRandomBytes(int i) {
        return tpm.GetRandom(i);
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] getEncryptionPublicPart() {
        try {
            return createRSAKey().outPublic.toTpm();
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    public static boolean validateSignature(byte[] bArr, byte[] bArr2, byte[] bArr3) throws ClientCryptoException {
        return TPMT_PUBLIC.fromTpm(bArr).validateSignature(bArr3, new TPMS_SIGNATURE_RSASSA(TPM_ALG_ID.SHA256, bArr2));
    }

    public static byte[] asymmetricEncrypt(byte[] bArr, byte[] bArr2) throws ClientCryptoException {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "TpmClientSecurity Asymmetric encrypt");
        return TPMT_PUBLIC.fromTpm(bArr).encrypt(bArr2, new String(NULL_VECTOR));
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public boolean isTPMInstance() {
        return true;
    }

    private CreatePrimaryResponse createSigningKey() {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Creating the Key from Platform TPM");
        if (signingPrimaryResponse != null) {
            return signingPrimaryResponse;
        }
        TPMT_PUBLIC tpmt_public = new TPMT_PUBLIC(TPM_ALG_ID.SHA1, new TPMA_OBJECT(new TPMA_OBJECT[]{TPMA_OBJECT.fixedTPM, TPMA_OBJECT.fixedParent, TPMA_OBJECT.sign, TPMA_OBJECT.sensitiveDataOrigin, TPMA_OBJECT.userWithAuth}), new byte[0], new TPMS_RSA_PARMS(new TPMT_SYM_DEF_OBJECT(TPM_ALG_ID.NULL, 0, TPM_ALG_ID.NULL), new TPMS_SIG_SCHEME_RSASSA(TPM_ALG_ID.SHA256), PartnerCertManagerConstants.RSA_MIN_KEY_SIZE, 65537), new TPM2B_PUBLIC_KEY_RSA());
        TPM_HANDLE from = TPM_HANDLE.from(TPM_RH.ENDORSEMENT);
        TPMS_SENSITIVE_CREATE tpms_sensitive_create = new TPMS_SENSITIVE_CREATE(NULL_VECTOR, NULL_VECTOR);
        synchronized (tpm) {
            signingPrimaryResponse = tpm.CreatePrimary(from, tpms_sensitive_create, tpmt_public, NULL_VECTOR, new TPMS_PCR_SELECTION[0]);
        }
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Completed creating the Signing Key from Platform TPM");
        return signingPrimaryResponse;
    }

    private CreatePrimaryResponse createRSAKey() {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Getting Asymmetric Key Creation from tpm");
        if (encPrimaryResponse != null) {
            return encPrimaryResponse;
        }
        LocalDateTime now = LocalDateTime.now();
        TPMT_PUBLIC tpmt_public = new TPMT_PUBLIC(TPM_ALG_ID.SHA256, new TPMA_OBJECT(new TPMA_OBJECT[]{TPMA_OBJECT.fixedTPM, TPMA_OBJECT.fixedParent, TPMA_OBJECT.decrypt, TPMA_OBJECT.sensitiveDataOrigin, TPMA_OBJECT.userWithAuth}), new byte[]{-125, 113, -105, 103, 68, -124, -77, -8, 26, -112, -52, -115, 70, -91, -41, 36, -3, 82, -41, 110, 6, 82, 11, 100, -14, -95, -38, 27, 51, 20, 105, -86}, new TPMS_RSA_PARMS(new TPMT_SYM_DEF_OBJECT(TPM_ALG_ID.NULL, 0, TPM_ALG_ID.NULL), new TPMS_ENC_SCHEME_OAEP(TPM_ALG_ID.SHA256), PartnerCertManagerConstants.RSA_MIN_KEY_SIZE, 65537), new TPM2B_PUBLIC_KEY_RSA());
        TPMS_SENSITIVE_CREATE tpms_sensitive_create = new TPMS_SENSITIVE_CREATE(NULL_VECTOR, NULL_VECTOR);
        TPM_HANDLE from = TPM_HANDLE.from(TPM_RH.ENDORSEMENT);
        synchronized (tpm) {
            encPrimaryResponse = tpm.CreatePrimary(from, tpms_sensitive_create, tpmt_public, (byte[]) null, (TPMS_PCR_SELECTION[]) null);
        }
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", String.format("Completed Asymmetric Key Creation using tpm. Time taken is %s seconds", String.valueOf(now.until(LocalDateTime.now(), ChronoUnit.SECONDS))));
        return encPrimaryResponse;
    }

    private static SecretKey getSecretKey() {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(CryptomanagerConstant.ENCRYPTED_SESSION_KEY_LENGTH);
            return keyGenerator.generateKey();
        } catch (NoSuchAlgorithmException e) {
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.TPM, "", "Failed to generate secret key " + ExceptionUtils.getStackTrace(e));
            return null;
        }
    }

    private boolean isKernelModeTRM() {
        synchronized (tpm) {
            return (tpm == null || tpm._getDevice() == null || (!(tpm._getDevice() instanceof TpmDeviceTbs) && !(tpm._getDevice() instanceof TpmDeviceLinux))) ? false : true;
        }
    }
}
