package io.mosip.kernel.clientcrypto.service.impl;

import io.mosip.kernel.clientcrypto.constant.ClientCryptoErrorConstants;
import io.mosip.kernel.clientcrypto.constant.ClientCryptoManagerConstant;
import io.mosip.kernel.clientcrypto.exception.ClientCryptoException;
import io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService;
import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.exception.ExceptionUtils;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Objects;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.junit.Assert;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
import tss.tpm.TPMT_PUBLIC;

@Component
/* loaded from: input_file:io/mosip/kernel/clientcrypto/service/impl/ClientCryptoFacade.class */
public class ClientCryptoFacade {
    private static final int ENC_SYM_KEY_LENGTH = 256;
    private static final int IV_LENGTH = 16;
    private static final int AAD_LENGTH = 12;
    private static final Logger LOGGER = KeymanagerLogger.getLogger(ClientCryptoFacade.class);
    private static SecureRandom secureRandom = null;
    private static ClientCryptoService clientCryptoService = null;

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    @Autowired
    private Environment environment;

    @Deprecated
    public static void setIsTPMRequired(boolean z) {
    }

    private void initializeClientSecurity() {
        LOGGER.debug(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "initializeClientSecurity >>> started");
        try {
            clientCryptoService = new TPMClientCryptoServiceImpl();
        } catch (Throwable th) {
            LOGGER.debug(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", ExceptionUtils.getStackTrace(th));
        }
        if (clientCryptoService == null) {
            try {
                LOGGER.warn(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "USING LOCAL CLIENT SECURITY INITIALIZED, IGNORE IF THIS IS NON-PROD ENV");
                clientCryptoService = new LocalClientCryptoServiceImpl(this.cryptoCore);
            } catch (Throwable th2) {
                LOGGER.error(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", ExceptionUtils.getStackTrace(th2));
            }
        }
        if (clientCryptoService == null) {
            LOGGER.error(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "Failed to get client security instance.");
            throw new ClientCryptoException(ClientCryptoErrorConstants.INITIALIZATION_ERROR.getErrorCode(), ClientCryptoErrorConstants.INITIALIZATION_ERROR.getErrorMessage());
        }
        LOGGER.debug(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "initializeClientSecurity >>> Completed");
    }

    public ClientCryptoService getClientSecurity() {
        if (clientCryptoService == null) {
            initializeClientSecurity();
        }
        return clientCryptoService;
    }

    public boolean validateSignature(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        if (isTPMKey(bArr)) {
            return TPMClientCryptoServiceImpl.validateSignature(bArr, bArr2, bArr3);
        }
        LOGGER.warn(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "USING LOCAL CLIENT SECURITY USED TO SIGN DATA, IGNORE IF THIS IS NON-PROD ENV");
        return LocalClientCryptoServiceImpl.validateSignature(bArr, bArr2, bArr3);
    }

    public byte[] encrypt(byte[] bArr, byte[] bArr2) {
        byte[] asymmetricEncrypt;
        SecretKey secretKey = getSecretKey();
        byte[] generateRandomBytes = generateRandomBytes(16);
        byte[] generateRandomBytes2 = generateRandomBytes(12);
        byte[] bArr3 = (byte[]) this.cryptoCore.symmetricEncrypt(secretKey, bArr2, generateRandomBytes, generateRandomBytes2);
        if (isTPMKey(bArr)) {
            asymmetricEncrypt = TPMClientCryptoServiceImpl.asymmetricEncrypt(bArr, secretKey.getEncoded());
        } else {
            LOGGER.warn(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.INITIALIZATION, "", "USING LOCAL CLIENT SECURITY USED TO ENCRYPT DATA, IGNORE IF THIS IS NON-PROD ENV");
            LocalClientCryptoServiceImpl.cryptoCore = this.cryptoCore;
            asymmetricEncrypt = LocalClientCryptoServiceImpl.asymmetricEncrypt(bArr, secretKey.getEncoded());
        }
        Objects.requireNonNull(asymmetricEncrypt);
        byte[] bArr4 = new byte[bArr3.length + asymmetricEncrypt.length + generateRandomBytes.length + generateRandomBytes2.length];
        System.arraycopy(asymmetricEncrypt, 0, bArr4, 0, asymmetricEncrypt.length);
        System.arraycopy(generateRandomBytes, 0, bArr4, asymmetricEncrypt.length, generateRandomBytes.length);
        System.arraycopy(generateRandomBytes2, 0, bArr4, asymmetricEncrypt.length + generateRandomBytes.length, generateRandomBytes2.length);
        System.arraycopy(bArr3, 0, bArr4, asymmetricEncrypt.length + generateRandomBytes.length + generateRandomBytes2.length, bArr3.length);
        return bArr4;
    }

    public byte[] decrypt(byte[] bArr) {
        Assert.assertNotNull(getClientSecurity());
        byte[] asymmetricDecrypt = getClientSecurity().asymmetricDecrypt(Arrays.copyOfRange(bArr, 0, 256));
        byte[] copyOfRange = Arrays.copyOfRange(bArr, 256, 272);
        byte[] copyOfRange2 = Arrays.copyOfRange(bArr, 272, 284);
        byte[] copyOfRange3 = Arrays.copyOfRange(bArr, 284, bArr.length);
        return (byte[]) this.cryptoCore.symmetricDecrypt(new SecretKeySpec(asymmetricDecrypt, "AES"), copyOfRange3, copyOfRange, copyOfRange2);
    }

    public static byte[] generateRandomBytes(int i) {
        if (secureRandom == null) {
            secureRandom = new SecureRandom();
        }
        byte[] bArr = new byte[i];
        secureRandom.nextBytes(bArr);
        return bArr;
    }

    private static SecretKey getSecretKey() {
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            return keyGenerator.generateKey();
        } catch (NoSuchAlgorithmException e) {
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, "Client Security FACADE", "", "Failed to generate secret key " + ExceptionUtils.getStackTrace(e));
            return null;
        }
    }

    private boolean isTPMKey(byte[] bArr) {
        try {
            Objects.requireNonNull(TPMT_PUBLIC.fromTpm(bArr));
            return true;
        } catch (Throwable th) {
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, "Client Security FACADE", "", "*** INVALID TPM KEY **** " + ExceptionUtils.getStackTrace(th));
            return false;
        }
    }
}
