package io.mosip.kernel.keymanagerservice.service.impl;

import io.mosip.kernel.core.crypto.exception.InvalidDataException;
import io.mosip.kernel.core.crypto.exception.InvalidKeyException;
import io.mosip.kernel.core.crypto.exception.NullDataException;
import io.mosip.kernel.core.crypto.exception.NullKeyException;
import io.mosip.kernel.core.crypto.exception.NullMethodException;
import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.keymanager.exception.KeystoreProcessingException;
import io.mosip.kernel.core.keymanager.exception.NoSuchSecurityProviderException;
import io.mosip.kernel.core.keymanager.model.CertificateEntry;
import io.mosip.kernel.core.keymanager.model.CertificateParameters;
import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.cryptomanager.util.CryptomanagerUtils;
import io.mosip.kernel.keygenerator.bouncycastle.KeyGenerator;
import io.mosip.kernel.keymanager.hsm.util.CertificateUtility;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerErrorConstant;
import io.mosip.kernel.keymanagerservice.dto.CSRGenerateRequestDto;
import io.mosip.kernel.keymanagerservice.dto.CertificateInfo;
import io.mosip.kernel.keymanagerservice.dto.KeyPairGenerateRequestDto;
import io.mosip.kernel.keymanagerservice.dto.KeyPairGenerateResponseDto;
import io.mosip.kernel.keymanagerservice.dto.PublicKeyResponse;
import io.mosip.kernel.keymanagerservice.dto.SignatureCertificate;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyGenerateRequestDto;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyGenerateResponseDto;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyRequestDto;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyResponseDto;
import io.mosip.kernel.keymanagerservice.dto.UploadCertificateRequestDto;
import io.mosip.kernel.keymanagerservice.dto.UploadCertificateResponseDto;
import io.mosip.kernel.keymanagerservice.entity.KeyAlias;
import io.mosip.kernel.keymanagerservice.entity.KeyPolicy;
import io.mosip.kernel.keymanagerservice.exception.CryptoException;
import io.mosip.kernel.keymanagerservice.exception.InvalidResponseObjectTypeException;
import io.mosip.kernel.keymanagerservice.exception.KeymanagerServiceException;
import io.mosip.kernel.keymanagerservice.exception.NoUniqueAliasException;
import io.mosip.kernel.keymanagerservice.helper.KeymanagerDBHelper;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.LocalDateTime;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import javax.crypto.SecretKey;
import javax.security.auth.x500.X500Principal;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Service
/* loaded from: input_file:io/mosip/kernel/keymanagerservice/service/impl/KeymanagerServiceImpl.class */
public class KeymanagerServiceImpl implements KeymanagerService {
    private static final String VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITH_REFERENCE_ID = "Valid reference Id. Getting key alias with referenceId";
    private static final String NOT_A_VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITHOUT_REFERENCE_ID = "Not a valid reference Id. Getting key alias without referenceId";
    private static final Logger LOGGER = KeymanagerLogger.getLogger(KeymanagerServiceImpl.class);

    @Value("${mosip.root.key.applicationid:ROOT}")
    private String rootKeyApplicationId;

    @Value("${mosip.sign-certificate-refid:SIGN}")
    private String certificateSignRefID;

    @Value("${mosip.sign.applicationid:KERNEL}")
    private String signApplicationid;

    @Value("${mosip.kernel.certificate.sign.algorithm:SHA256withRSA}")
    private String signAlgorithm;

    @Value("${mosip.kernel.keymanager.113nothumbprint.support:false}")
    private boolean noThumbprint;

    @Autowired
    private KeyStore keyStore;

    @Autowired
    private KeyGenerator keyGenerator;

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    private KeymanagerDBHelper dbHelper;

    @Autowired
    CryptomanagerUtils cryptomanagerUtil;

    private CertificateInfo<X509Certificate> getCertificateFromHSM(String str, LocalDateTime localDateTime, String str2) {
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str, KeymanagerConstant.GETPUBLICKEYHSM);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.TIMESTAMP, localDateTime.toString(), KeymanagerConstant.GETPUBLICKEYHSM);
        String str3 = null;
        this.dbHelper.getKeyPolicy(str);
        Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(str, str2, localDateTime);
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        List<KeyAlias> list2 = keyAliases.get(KeymanagerConstant.KEYALIAS);
        if (list2.isEmpty()) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, String.valueOf(list2.size()), "Initial Key generation process not completed.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.KEY_GENERATION_NOT_DONE.getErrorCode(), KeymanagerErrorConstant.KEY_GENERATION_NOT_DONE.getErrorMessage());
        }
        if (list.size() > 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list.get(0).getAlias(), "CurrentKeyAlias size is one fetching keypair using this alias");
            str3 = list.get(0).getAlias();
        } else if (list.isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size is zero. Will create new Keypair for this applicationId and timestamp");
            str3 = UUID.randomUUID().toString();
            generateKeyPairInHSM(str3, str, str2, localDateTime, list2);
        }
        return new CertificateInfo<>(str3, (X509Certificate) this.keyStore.getCertificate(str3));
    }

    private void generateKeyPairInHSM(String str, String str2, String str3, LocalDateTime localDateTime, List<KeyAlias> list) {
        LocalDateTime expiryPolicy = this.dbHelper.getExpiryPolicy(str2, localDateTime, list);
        this.keyStore.generateAndStoreAsymmetricKey(str, getRootKeyAlias(str2, localDateTime), this.keymanagerUtil.getCertificateParameters(getLatestCertPrincipal(list), localDateTime, expiryPolicy));
        this.dbHelper.storeKeyInAlias(str2, localDateTime, str3, str, expiryPolicy);
    }

    private X500Principal getLatestCertPrincipal(List<KeyAlias> list) {
        return ((X509Certificate) this.keyStore.getCertificate(list.get(0).getAlias())).getSubjectX500Principal();
    }

    private CertificateInfo<X509Certificate> getCertificateFromDBStore(String str, LocalDateTime localDateTime, String str2) {
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str, KeymanagerConstant.GETPUBLICKEYDB);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.TIMESTAMP, localDateTime.toString(), KeymanagerConstant.GETPUBLICKEYDB);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.REFERENCEID, str2, KeymanagerConstant.GETPUBLICKEYDB);
        String str3 = null;
        X509Certificate x509Certificate = null;
        Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(str, str2, localDateTime);
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.size() > 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list.get(0).getAlias(), "CurrentKeyAlias size is one. Will fetch keypair using this alias");
            Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(list.get(0).getAlias());
            if (!keyStoreFromDB.isPresent()) {
                LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYFROMDB, keyStoreFromDB.toString(), "Key in DBStore does not exist for this alias. Throwing exception");
                throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
            }
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYFROMDB, list.get(0).getAlias(), "Key in DBStore exists for this alias. Fetching Certificate.");
            str3 = list.get(0).getAlias();
            x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(keyStoreFromDB.get().getCertificateData());
        } else if (list.isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size is zero. Will create new Keypair for this applicationId, referenceId and timestamp");
            List<KeyAlias> list2 = keyAliases.get(KeymanagerConstant.KEYALIAS);
            if (!list2.isEmpty()) {
                list2.forEach(keyAlias -> {
                    String alias = keyAlias.getAlias();
                    Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB2 = this.dbHelper.getKeyStoreFromDB(alias);
                    String masterAlias = keyStoreFromDB2.get().getMasterAlias();
                    String privateKey = keyStoreFromDB2.get().getPrivateKey();
                    if (alias.equals(masterAlias) || privateKey.equals(KeymanagerConstant.KS_PK_NA)) {
                        LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to generate New Key Pair for other domains.");
                        throw new KeymanagerServiceException(KeymanagerErrorConstant.GENERATION_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.GENERATION_NOT_ALLOWED.getErrorMessage());
                    }
                });
            }
            if (str.equalsIgnoreCase(KeymanagerConstant.ROOT)) {
                LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to generate Base Key for Root Key.");
                throw new KeymanagerServiceException(KeymanagerErrorConstant.GENERATION_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.GENERATION_NOT_ALLOWED.getErrorMessage());
            }
            this.dbHelper.getKeyPolicy(str);
            str3 = UUID.randomUUID().toString();
            KeyPair asymmetricKey = this.keyGenerator.getAsymmetricKey();
            PrivateKey privateKey = asymmetricKey.getPrivate();
            CertificateInfo<X509Certificate> certificateFromHSM = getCertificateFromHSM(str, localDateTime, "");
            PublicKey publicKey = certificateFromHSM.getCertificate().getPublicKey();
            String alias = certificateFromHSM.getAlias();
            LocalDateTime expiryPolicy = this.dbHelper.getExpiryPolicy(KeymanagerConstant.BASE_KEY_POLICY_CONST, localDateTime, keyAliases.get(KeymanagerConstant.KEYALIAS));
            try {
                String encodeBase64 = CryptoUtil.encodeBase64(this.keymanagerUtil.encryptKey(privateKey, publicKey));
                KeyStore.PrivateKeyEntry asymmetricKey2 = this.keyStore.getAsymmetricKey(alias);
                PrivateKey privateKey2 = asymmetricKey2.getPrivateKey();
                X500Principal subjectX500Principal = ((X509Certificate) asymmetricKey2.getCertificate()).getSubjectX500Principal();
                CertificateParameters certificateParameters = this.keymanagerUtil.getCertificateParameters(subjectX500Principal, localDateTime, expiryPolicy);
                certificateParameters.setCommonName(str + "-" + str2);
                x509Certificate = CertificateUtility.generateX509Certificate(privateKey2, asymmetricKey.getPublic(), certificateParameters, subjectX500Principal, this.signAlgorithm, this.keyStore.getKeystoreProviderName());
                this.dbHelper.storeKeyInDBStore(str3, alias, this.keymanagerUtil.getPEMFormatedData(x509Certificate), encodeBase64);
                this.dbHelper.storeKeyInAlias(str, localDateTime, str2, str3, expiryPolicy);
                this.keymanagerUtil.destoryKey(privateKey);
            } catch (InvalidDataException | InvalidKeyException | NullDataException | NullKeyException | NullMethodException e) {
                throw new CryptoException(KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorCode(), KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getErrorText());
            }
        }
        return new CertificateInfo<>(str3, x509Certificate);
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public SymmetricKeyResponseDto decryptSymmetricKey(SymmetricKeyRequestDto symmetricKeyRequestDto) {
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        String applicationId = symmetricKeyRequestDto.getApplicationId();
        String referenceId = symmetricKeyRequestDto.getReferenceId();
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "Request Application Id: " + applicationId);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "Request Reference Id: " + referenceId);
        Boolean prependThumbprint = symmetricKeyRequestDto.getPrependThumbprint();
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "prependThumbprint Value(Request): " + prependThumbprint);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "prependThumbprint Value: " + (prependThumbprint == null ? false : symmetricKeyRequestDto.getPrependThumbprint().booleanValue()));
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "1.1.3 Thumbprint support property flag: " + this.noThumbprint);
        byte[] decodeBase64 = CryptoUtil.decodeBase64(symmetricKeyRequestDto.getEncryptedSymmetricKey());
        return this.noThumbprint ? decryptSymmetricKeyNoKeyIdentifier(applicationId, referenceId, decodeBase64, uTCCurrentDateTime) : decryptSymmetricKeyWithKeyIdentifier(applicationId, referenceId, decodeBase64, uTCCurrentDateTime);
    }

    private SymmetricKeyResponseDto decryptSymmetricKeyWithKeyIdentifier(String str, String str2, byte[] bArr, LocalDateTime localDateTime) {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, 0, 32);
        byte[] copyOfRange2 = Arrays.copyOfRange(bArr, 32, bArr.length);
        SymmetricKeyResponseDto symmetricKeyResponseDto = new SymmetricKeyResponseDto();
        symmetricKeyResponseDto.setSymmetricKey(CryptoUtil.encodeBase64(decryptSessionKey(str, str2, localDateTime, copyOfRange2, copyOfRange)));
        return symmetricKeyResponseDto;
    }

    private byte[] decryptSessionKey(String str, String str2, LocalDateTime localDateTime, byte[] bArr, byte[] bArr2) {
        Map<String, List<KeyAlias>> keyAliases;
        if (this.keymanagerUtil.isValidReferenceId(str2)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITH_REFERENCE_ID);
            keyAliases = this.dbHelper.getKeyAliases(str, str2, localDateTime);
        } else {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", NOT_A_VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITHOUT_REFERENCE_ID);
            keyAliases = this.dbHelper.getKeyAliases(str, "", localDateTime);
        }
        Object[] keyObjects = getKeyObjects(keyAliases.get(KeymanagerConstant.KEYALIAS), keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS), localDateTime, str2, bArr2);
        PrivateKey privateKey = (PrivateKey) keyObjects[0];
        try {
            byte[] bArr3 = (byte[]) this.cryptoCore.asymmetricDecrypt(privateKey, ((Certificate) keyObjects[1]).getPublicKey(), bArr);
            this.keymanagerUtil.destoryKey(privateKey);
            return bArr3;
        } catch (InvalidKeyException e) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, KeymanagerConstant.REFERENCEID, "Error occurred because of mismatch with keys. Try with keys for decryption.");
            throw new CryptoException(KeymanagerErrorConstant.SYMMETRIC_KEY_DECRYPTION_FAILED.getErrorCode(), KeymanagerErrorConstant.SYMMETRIC_KEY_DECRYPTION_FAILED.getErrorMessage() + e.getMessage(), e);
        }
    }

    private SymmetricKeyResponseDto decryptSymmetricKeyNoKeyIdentifier(String str, String str2, byte[] bArr, LocalDateTime localDateTime) {
        byte[] bArr2;
        byte[] bArr3 = null;
        boolean z = false;
        if (bArr.length == 288) {
            bArr3 = Arrays.copyOfRange(bArr, 0, 32);
            bArr2 = Arrays.copyOfRange(bArr, 32, bArr.length);
            z = true;
        } else {
            bArr2 = bArr;
        }
        SymmetricKeyResponseDto symmetricKeyResponseDto = new SymmetricKeyResponseDto();
        symmetricKeyResponseDto.setSymmetricKey(CryptoUtil.encodeBase64(decryptSessionKey(str, str2, localDateTime, bArr2, bArr3, z)));
        return symmetricKeyResponseDto;
    }

    /* JADX WARN: Removed duplicated region for block: B:15:0x0100  */
    /* JADX WARN: Removed duplicated region for block: B:33:0x01a2  */
    /* JADX WARN: Removed duplicated region for block: B:35:0x01a5  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private byte[] decryptSessionKey(java.lang.String r9, java.lang.String r10, java.time.LocalDateTime r11, byte[] r12, byte[] r13, boolean r14) {
        /*
            Method dump skipped, instructions count: 424
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: io.mosip.kernel.keymanagerservice.service.impl.KeymanagerServiceImpl.decryptSessionKey(java.lang.String, java.lang.String, java.time.LocalDateTime, byte[], byte[], boolean):byte[]");
    }

    private Object[] getPrivateKeyNoKeyIdentifier(List<KeyAlias> list, List<KeyAlias> list2, LocalDateTime localDateTime, String str, byte[] bArr, boolean z) {
        if (!Objects.isNull(bArr) || z) {
            return getKeyObjects(list, list2, localDateTime, str, bArr);
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list.get(0).getAlias(), "Thumbprint is value is null and packet Thumbprint Flag is true.");
        return getPrivateKey(str, list.get(0));
    }

    private Object[] getKeyObjects(List<KeyAlias> list, List<KeyAlias> list2, LocalDateTime localDateTime, String str, byte[] bArr) {
        if (list2.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list2.get(0).getAlias(), "CurrentKeyAlias size is one. Will decrypt symmetric key with this alias after thumbprint matches.");
            Object[] privateKey = getPrivateKey(str, list2.get(0));
            if (bArr == null) {
                return privateKey;
            }
            if (Arrays.equals(bArr, this.cryptomanagerUtil.getCertificateThumbprint((Certificate) privateKey[1]))) {
                return privateKey;
            }
        }
        if ((list2.isEmpty() || list2.size() > 1) && bArr == null) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list2.size()), "CurrentKeyAlias is empty or not unique & certificate thumbprint is null. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, "", "CurrentKeyAlias size is zero or thumbprint not matched now checking other expired key aliases to compare thumbprint.");
        Iterator<KeyAlias> it = list.iterator();
        while (it.hasNext()) {
            Object[] privateKey2 = getPrivateKey(str, it.next());
            if (Arrays.equals(bArr, this.cryptomanagerUtil.getCertificateThumbprint((Certificate) privateKey2[1]))) {
                return privateKey2;
            }
        }
        LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, "", "No Key Alias for the thumbprint provided, Throwing exception");
        throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
    }

    private Object[] getPrivateKey(String str, KeyAlias keyAlias) {
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.REFERENCEID, str, KeymanagerConstant.GETPRIVATEKEY);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.FETCHEDKEYALIAS, keyAlias.getAlias(), KeymanagerConstant.GETPRIVATEKEY);
        if (!this.keymanagerUtil.isValidReferenceId(str)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Not valid reference Id. Getting private key from HSM.");
            KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(keyAlias.getAlias());
            return new Object[]{asymmetricKey.getPrivateKey(), asymmetricKey.getCertificate()};
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Valid reference Id. Getting private key from DB Store");
        String alias = keyAlias.getAlias();
        Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(alias);
        if (!keyStoreFromDB.isPresent()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYFROMDB, keyStoreFromDB.toString(), "Key in DBStore does not exist for this alias. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        String masterAlias = keyStoreFromDB.get().getMasterAlias();
        String privateKey = keyStoreFromDB.get().getPrivateKey();
        if (alias.equals(masterAlias) || privateKey.equals(KeymanagerConstant.KS_PK_NA)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to perform decryption with other domain key.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorMessage());
        }
        KeyStore.PrivateKeyEntry asymmetricKey2 = this.keyStore.getAsymmetricKey(keyStoreFromDB.get().getMasterAlias());
        try {
            return new Object[]{KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(this.keymanagerUtil.decryptKey(CryptoUtil.decodeBase64(keyStoreFromDB.get().getPrivateKey()), asymmetricKey2.getPrivateKey(), asymmetricKey2.getCertificate().getPublicKey()))), this.keymanagerUtil.convertToCertificate(keyStoreFromDB.get().getCertificateData())};
        } catch (InvalidDataException | InvalidKeyException | NullDataException | NullKeyException | NullMethodException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new CryptoException(KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorCode(), KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getMessage(), e);
        }
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public SignatureCertificate getSignatureCertificate(String str, Optional<String> optional, String str2) {
        return getSigningCertificate(str, optional, str2, true);
    }

    private SignatureCertificate getSigningCertificate(String str, Optional<String> optional, String str2, boolean z) {
        Map<String, List<KeyAlias>> keyAliases;
        String str3;
        String uuid;
        CertificateEntry<X509Certificate, PrivateKey> certificateEntry;
        LocalDateTime localDateTime;
        LocalDateTime expiryPolicy;
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        if (!optional.isPresent() || optional.get().trim().isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", NOT_A_VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITHOUT_REFERENCE_ID);
            keyAliases = this.dbHelper.getKeyAliases(str, "", uTCCurrentDateTime);
            str3 = "";
        } else {
            if (!str.equalsIgnoreCase(this.signApplicationid) || !optional.isPresent() || !optional.get().equals(this.certificateSignRefID)) {
                LOGGER.error(KeymanagerConstant.SESSIONID, str, optional.get(), "Signing operation not allowed for the provided application Id & reference Id.");
                throw new KeymanagerServiceException(KeymanagerErrorConstant.NOT_VALID_SIGNATURE_KEY.getErrorCode(), KeymanagerErrorConstant.NOT_VALID_SIGNATURE_KEY.getErrorMessage());
            }
            LOGGER.info(KeymanagerConstant.SESSIONID, str, optional.get(), VALID_REFERENCE_ID_GETTING_KEY_ALIAS_WITH_REFERENCE_ID);
            keyAliases = this.dbHelper.getKeyAliases(str, optional.get(), uTCCurrentDateTime);
            str3 = optional.get();
        }
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.KEYALIAS);
        List<KeyAlias> list2 = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list2.size() > 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list2.size()), "CurrentKeyAlias size more than one. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list2.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list2.get(0).getAlias(), "CurrentKeyAlias size is one. Will fetch keypair using this alias");
            KeyAlias keyAlias = list2.get(0);
            uuid = keyAlias.getAlias();
            certificateEntry = getCertificateEntry(uuid, z);
            localDateTime = keyAlias.getKeyGenerationTime();
            expiryPolicy = keyAlias.getKeyExpiryTime();
        } else {
            if (!list2.isEmpty() || list.size() <= 0) {
                LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, String.valueOf(list.size()), "Initial Key generation process not completed.");
                throw new KeymanagerServiceException(KeymanagerErrorConstant.KEY_GENERATION_NOT_DONE.getErrorCode(), KeymanagerErrorConstant.KEY_GENERATION_NOT_DONE.getErrorMessage());
            }
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, list.get(0).getAlias(), "CurrentKeyAlias size is zero. Key got expired, generating new keypair using this App Id & Ref Id");
            uuid = UUID.randomUUID().toString();
            generateKeyPairInHSM(uuid, str, str3, uTCCurrentDateTime, list);
            certificateEntry = getCertificateEntry(uuid, z);
            localDateTime = uTCCurrentDateTime;
            expiryPolicy = this.dbHelper.getExpiryPolicy(str, localDateTime, list);
        }
        return new SignatureCertificate(uuid, certificateEntry, localDateTime, expiryPolicy, this.keyStore.getKeystoreProviderName());
    }

    private CertificateEntry<X509Certificate, PrivateKey> getCertificateEntry(String str, boolean z) {
        try {
            KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(str);
            return new CertificateEntry<>((X509Certificate[]) asymmetricKey.getCertificateChain(), asymmetricKey.getPrivateKey());
        } catch (KeystoreProcessingException | NoSuchSecurityProviderException e) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, "Error", "Key Not found in HSM, keystore might have loaded as offline." + e.getMessage());
            if (z) {
                throw e;
            }
            Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(str);
            if (keyStoreFromDB.isPresent()) {
                return new CertificateEntry<>(new X509Certificate[]{(X509Certificate) this.keymanagerUtil.convertToCertificate(keyStoreFromDB.get().getCertificateData())}, (Object) null);
            }
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, "", "Certificate Not found in keystore table.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.CERTIFICATE_NOT_FOUND.getErrorCode(), KeymanagerErrorConstant.CERTIFICATE_NOT_FOUND.getErrorMessage());
        }
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public PublicKeyResponse<String> getSignPublicKey(String str, String str2, Optional<String> optional) {
        SignatureCertificate signingCertificate = getSigningCertificate(str, optional, DateUtils.getUTCCurrentDateTimeString(), false);
        return new PublicKeyResponse<>(signingCertificate.getAlias(), CryptoUtil.encodeBase64(((X509Certificate[]) signingCertificate.getCertificateEntry().getChain())[0].getPublicKey().getEncoded()), signingCertificate.getIssuedAt(), signingCertificate.getExpiryAt());
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public KeyPairGenerateResponseDto generateMasterKey(String str, KeyPairGenerateRequestDto keyPairGenerateRequestDto) {
        String applicationId = keyPairGenerateRequestDto.getApplicationId();
        String referenceId = keyPairGenerateRequestDto.getReferenceId();
        Boolean force = keyPairGenerateRequestDto.getForce();
        Optional<KeyPolicy> keyPolicy = this.dbHelper.getKeyPolicy(applicationId);
        if (this.keymanagerUtil.isValidReferenceId(referenceId) && ((referenceId.equals(this.certificateSignRefID) && !applicationId.equals(this.signApplicationid)) || !referenceId.equals(this.certificateSignRefID))) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYPOLICY, keyPolicy.toString(), "Reference Id not supported for the provided application Id.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.REFERENCE_ID_NOT_SUPPORTED.getErrorCode(), KeymanagerErrorConstant.REFERENCE_ID_NOT_SUPPORTED.getErrorMessage());
        }
        if (this.keymanagerUtil.isValidResponseType(str)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, "", KeymanagerConstant.REQUEST_FOR_MASTER_KEY_GENERATION);
            return generateKey(str, applicationId, referenceId, force, keyPairGenerateRequestDto);
        }
        LOGGER.error(KeymanagerConstant.SESSIONID, "Response Object Type", (String) null, "Invalid Response Object type provided for the key generation request.");
        throw new KeymanagerServiceException(KeymanagerErrorConstant.INVALID_REQUEST.getErrorCode(), KeymanagerErrorConstant.INVALID_REQUEST.getErrorMessage());
    }

    private KeyPairGenerateResponseDto generateKey(String str, String str2, String str3, Boolean bool, KeyPairGenerateRequestDto keyPairGenerateRequestDto) {
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str2, "Generate Key for application ID: " + str2 + ", RefId: " + str3 + ", force flag: " + bool.toString());
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(str2, str3, uTCCurrentDateTime);
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        if (bool.booleanValue()) {
            LOGGER.debug(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str2, "Force Flag is True, invalidating all the existing keys and generating new key pair.");
            LocalDateTime minusMinutes = uTCCurrentDateTime.minusMinutes(1L);
            list.forEach(keyAlias -> {
                this.dbHelper.storeKeyInAlias(str2, keyAlias.getKeyGenerationTime(), str3, keyAlias.getAlias(), minusMinutes);
            });
            return generateAndBuildResponse(str, str2, str3, uTCCurrentDateTime, keyAliases, keyPairGenerateRequestDto);
        }
        if (list.size() > 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list.isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size is zero. Will create new Keypair for this applicationId and timestamp");
            return generateAndBuildResponse(str, str2, str3, uTCCurrentDateTime, keyAliases, keyPairGenerateRequestDto);
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "key details present in DB" + list.get(0));
        KeyAlias keyAlias2 = list.get(0);
        return buildResponseObject(str, str2, str3, uTCCurrentDateTime, keyAlias2.getAlias(), keyAlias2.getKeyGenerationTime(), keyAlias2.getKeyExpiryTime(), keyPairGenerateRequestDto);
    }

    private KeyPairGenerateResponseDto generateAndBuildResponse(String str, String str2, String str3, LocalDateTime localDateTime, Map<String, List<KeyAlias>> map, KeyPairGenerateRequestDto keyPairGenerateRequestDto) {
        String uuid = UUID.randomUUID().toString();
        LocalDateTime expiryPolicy = this.dbHelper.getExpiryPolicy(str2, localDateTime, map.get(KeymanagerConstant.KEYALIAS));
        this.keyStore.generateAndStoreAsymmetricKey(uuid, getRootKeyAlias(str2, localDateTime), this.keymanagerUtil.getCertificateParameters(keyPairGenerateRequestDto, localDateTime, expiryPolicy));
        this.dbHelper.storeKeyInAlias(str2, localDateTime, str3, uuid, expiryPolicy);
        return buildResponseObject(str, str2, str3, localDateTime, uuid, localDateTime, expiryPolicy, keyPairGenerateRequestDto);
    }

    private String getRootKeyAlias(String str, LocalDateTime localDateTime) {
        List<KeyAlias> list = this.dbHelper.getKeyAliases(this.rootKeyApplicationId, "", localDateTime).get(KeymanagerConstant.CURRENTKEYALIAS);
        String str2 = null;
        if (list.size() > 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one for ROOT Key");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size is one. Use the current root key alias as key to sign the key.");
            str2 = list.get(0).getAlias();
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.ROOT_KEY, "Found Root Key.", "Root Key for signing the new generated key: " + str2);
        if (!Objects.isNull(str2) || str.equals(this.rootKeyApplicationId)) {
            return str2;
        }
        LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.ROOT_KEY, "Root Key Error", "ROOT Key not available to sign the new generated key.");
        throw new KeymanagerServiceException(KeymanagerErrorConstant.ROOT_KEY_NOT_FOUND.getErrorCode(), KeymanagerErrorConstant.ROOT_KEY_NOT_FOUND.getErrorMessage());
    }

    private KeyPairGenerateResponseDto buildResponseObject(String str, String str2, String str3, LocalDateTime localDateTime, String str4, LocalDateTime localDateTime2, LocalDateTime localDateTime3, KeyPairGenerateRequestDto keyPairGenerateRequestDto) {
        if (str.toUpperCase().equals(KeymanagerConstant.REQUEST_TYPE_CERTIFICATE)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str2, "Getting Key Certificate for application ID: " + str2 + ", RefId: " + str3);
            X509Certificate x509Certificate = (X509Certificate) this.keyStore.getCertificate(str4);
            KeyPairGenerateResponseDto keyPairGenerateResponseDto = new KeyPairGenerateResponseDto();
            keyPairGenerateResponseDto.setCertificate(this.keymanagerUtil.getPEMFormatedData(x509Certificate));
            keyPairGenerateResponseDto.setExpiryAt(DateUtils.parseDateToLocalDateTime(x509Certificate.getNotAfter()));
            keyPairGenerateResponseDto.setIssuedAt(DateUtils.parseDateToLocalDateTime(x509Certificate.getNotBefore()));
            keyPairGenerateResponseDto.setTimestamp(localDateTime);
            return keyPairGenerateResponseDto;
        }
        if (!str.toUpperCase().equals(KeymanagerConstant.REQUEST_TYPE_CSR)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, "Response Object Type", (String) null, "Invalid Response Object type provided for the key pair");
            throw new InvalidResponseObjectTypeException(KeymanagerErrorConstant.INVALID_RESPONSE_TYPE.getErrorCode(), KeymanagerErrorConstant.INVALID_RESPONSE_TYPE.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str2, "Getting Key CSR for application ID: " + str2 + ", RefId: " + str3);
        PublicKey publicKey = ((X509Certificate) this.keyStore.getCertificate(str4)).getPublicKey();
        PrivateKey privateKey = this.keyStore.getPrivateKey(str4);
        KeyPairGenerateResponseDto keyPairGenerateResponseDto2 = new KeyPairGenerateResponseDto();
        keyPairGenerateResponseDto2.setCertSignRequest(this.keymanagerUtil.getCSR(privateKey, publicKey, this.keymanagerUtil.getCertificateParameters(keyPairGenerateRequestDto, localDateTime2, localDateTime3)));
        keyPairGenerateResponseDto2.setExpiryAt(localDateTime3);
        keyPairGenerateResponseDto2.setIssuedAt(localDateTime2);
        keyPairGenerateResponseDto2.setTimestamp(localDateTime);
        return keyPairGenerateResponseDto2;
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public KeyPairGenerateResponseDto getCertificate(String str, Optional<String> optional) {
        CertificateInfo<X509Certificate> certificateFromHSM;
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str, KeymanagerConstant.GET_CERTIFICATE);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.REFERENCEID, optional.toString(), KeymanagerConstant.GET_CERTIFICATE);
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        if (!optional.isPresent() || optional.get().trim().isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is not present. Will get Certificate from HSM");
            certificateFromHSM = getCertificateFromHSM(str, uTCCurrentDateTime, "");
        } else if (str.equalsIgnoreCase(this.signApplicationid) && optional.isPresent() && optional.get().equals(this.certificateSignRefID)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is present and it is SIGN reference. Will get Certificate from HSM");
            certificateFromHSM = getCertificateFromHSM(str, uTCCurrentDateTime, optional.get());
        } else {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is present. Will get Certificate from DB store");
            certificateFromHSM = getCertificateFromDBStore(str, uTCCurrentDateTime, optional.get());
        }
        X509Certificate certificate = certificateFromHSM.getCertificate();
        KeyPairGenerateResponseDto keyPairGenerateResponseDto = new KeyPairGenerateResponseDto();
        keyPairGenerateResponseDto.setCertificate(this.keymanagerUtil.getPEMFormatedData(certificate));
        keyPairGenerateResponseDto.setExpiryAt(DateUtils.parseDateToLocalDateTime(certificate.getNotAfter()));
        keyPairGenerateResponseDto.setIssuedAt(DateUtils.parseDateToLocalDateTime(certificate.getNotBefore()));
        keyPairGenerateResponseDto.setTimestamp(uTCCurrentDateTime);
        return keyPairGenerateResponseDto;
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public KeyPairGenerateResponseDto generateCSR(CSRGenerateRequestDto cSRGenerateRequestDto) {
        CertificateInfo<X509Certificate> certificateFromHSM;
        String applicationId = cSRGenerateRequestDto.getApplicationId();
        Optional ofNullable = Optional.ofNullable(cSRGenerateRequestDto.getReferenceId());
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        if (!ofNullable.isPresent() || ((String) ofNullable.get()).trim().isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is not present. Will get Certificate from HSM");
            certificateFromHSM = getCertificateFromHSM(applicationId, uTCCurrentDateTime, "");
        } else if (applicationId.equalsIgnoreCase(this.signApplicationid) && ofNullable.isPresent() && ((String) ofNullable.get()).equals(this.certificateSignRefID)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is present and it is SIGN reference. Will get Certificate from HSM");
            certificateFromHSM = getCertificateFromHSM(applicationId, uTCCurrentDateTime, (String) ofNullable.get());
        } else {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Reference Id is present. Will get Certificate from DB store");
            certificateFromHSM = getCertificateFromDBStore(applicationId, uTCCurrentDateTime, (String) ofNullable.get());
        }
        String alias = certificateFromHSM.getAlias();
        Object[] keyDetails = getKeyDetails(this.dbHelper.getKeyStoreFromDB(alias), alias);
        PrivateKey privateKey = (PrivateKey) keyDetails[0];
        X509Certificate x509Certificate = (X509Certificate) keyDetails[1];
        LocalDateTime parseDateToLocalDateTime = DateUtils.parseDateToLocalDateTime(x509Certificate.getNotBefore());
        LocalDateTime parseDateToLocalDateTime2 = DateUtils.parseDateToLocalDateTime(x509Certificate.getNotAfter());
        CertificateParameters certificateParameters = this.keymanagerUtil.getCertificateParameters(cSRGenerateRequestDto, parseDateToLocalDateTime, parseDateToLocalDateTime2);
        KeyPairGenerateResponseDto keyPairGenerateResponseDto = new KeyPairGenerateResponseDto();
        keyPairGenerateResponseDto.setCertSignRequest(this.keymanagerUtil.getCSR(privateKey, x509Certificate.getPublicKey(), certificateParameters));
        keyPairGenerateResponseDto.setExpiryAt(parseDateToLocalDateTime2);
        keyPairGenerateResponseDto.setIssuedAt(parseDateToLocalDateTime);
        keyPairGenerateResponseDto.setTimestamp(uTCCurrentDateTime);
        if (ofNullable.isPresent() || !((String) ofNullable.get()).trim().isEmpty()) {
            this.keymanagerUtil.destoryKey(privateKey);
        }
        return keyPairGenerateResponseDto;
    }

    private KeyAlias getKeyAlias(String str, String str2) {
        if (!this.keymanagerUtil.isValidApplicationId(str)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Invalid application ID provided to get Object details.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.INVALID_REQUEST.getErrorCode(), KeymanagerErrorConstant.INVALID_REQUEST.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, str, "to get KeyInfo for application ID: " + str + ", RefId: " + str2);
        this.dbHelper.getKeyPolicy(str);
        List<KeyAlias> list = this.dbHelper.getKeyAliases(str, str2, DateUtils.getUTCCurrentDateTime()).get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.size() > 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (list.isEmpty()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size is zero for this applicationId and timestamp");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "key details present in DB: " + list.get(0));
        return list.get(0);
    }

    private Object[] getKeyDetails(Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> optional, String str) {
        if (!optional.isPresent()) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYFROMDB, optional.toString(), "Key in DBStore does not exist for this alias. So fetching the certificate from HSM.");
            KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(str);
            return new Object[]{asymmetricKey.getPrivateKey(), (X509Certificate) asymmetricKey.getCertificate()};
        }
        KeyStore.PrivateKeyEntry asymmetricKey2 = this.keyStore.getAsymmetricKey(optional.get().getMasterAlias());
        try {
            return new Object[]{KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(this.keymanagerUtil.decryptKey(CryptoUtil.decodeBase64(optional.get().getPrivateKey()), asymmetricKey2.getPrivateKey(), asymmetricKey2.getCertificate().getPublicKey()))), (X509Certificate) this.keymanagerUtil.convertToCertificate(optional.get().getCertificateData())};
        } catch (InvalidDataException | InvalidKeyException | NullDataException | NullKeyException | NullMethodException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new CryptoException(KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorCode(), KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getMessage(), e);
        }
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public UploadCertificateResponseDto uploadCertificate(UploadCertificateRequestDto uploadCertificateRequestDto) {
        String applicationId = uploadCertificateRequestDto.getApplicationId();
        String referenceId = uploadCertificateRequestDto.getReferenceId();
        String certificateData = uploadCertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Invalid Certificate Data provided to upload the certificate.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.INVALID_REQUEST.getErrorCode(), KeymanagerErrorConstant.INVALID_REQUEST.getErrorMessage());
        }
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        String alias = getKeyAlias(applicationId, referenceId).getAlias();
        Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(alias);
        Object[] keyDetails = getKeyDetails(keyStoreFromDB, alias);
        PrivateKey privateKey = (PrivateKey) keyDetails[0];
        X509Certificate x509Certificate = (X509Certificate) keyDetails[1];
        X509Certificate x509Certificate2 = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        if (!Arrays.equals(x509Certificate.getPublicKey().getEncoded(), x509Certificate2.getPublicKey().getEncoded())) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Certificate Key is not matching with the available key.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.KEY_NOT_MATCHING.getErrorCode(), KeymanagerErrorConstant.KEY_NOT_MATCHING.getErrorMessage());
        }
        LocalDateTime convertToUTC = this.keymanagerUtil.convertToUTC(x509Certificate2.getNotBefore());
        LocalDateTime convertToUTC2 = this.keymanagerUtil.convertToUTC(x509Certificate2.getNotAfter());
        if (keyStoreFromDB.isPresent()) {
            this.dbHelper.storeKeyInDBStore(alias, keyStoreFromDB.get().getMasterAlias(), this.keymanagerUtil.getPEMFormatedData(x509Certificate2), keyStoreFromDB.get().getPrivateKey());
        } else {
            this.keyStore.storeCertificate(alias, privateKey, x509Certificate2);
        }
        this.dbHelper.storeKeyInAlias(applicationId, convertToUTC, referenceId, alias, convertToUTC2);
        UploadCertificateResponseDto uploadCertificateResponseDto = new UploadCertificateResponseDto();
        uploadCertificateResponseDto.setStatus(KeymanagerConstant.UPLOAD_SUCCESS);
        uploadCertificateResponseDto.setTimestamp(uTCCurrentDateTime);
        return uploadCertificateResponseDto;
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public UploadCertificateResponseDto uploadOtherDomainCertificate(UploadCertificateRequestDto uploadCertificateRequestDto) {
        String applicationId = uploadCertificateRequestDto.getApplicationId();
        String referenceId = uploadCertificateRequestDto.getReferenceId();
        String certificateData = uploadCertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData) || !this.keymanagerUtil.isValidReferenceId(referenceId) || !this.keymanagerUtil.isValidApplicationId(applicationId)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Invalid Data provided to upload other domain certificate.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.INVALID_REQUEST.getErrorCode(), KeymanagerErrorConstant.INVALID_REQUEST.getErrorMessage());
        }
        if (applicationId.equalsIgnoreCase(this.signApplicationid) && referenceId.equalsIgnoreCase(this.certificateSignRefID)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not allowed to uploaded AppId: KERNEL & RefId: SIGN.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, applicationId, "to get KeyInfo for application ID: " + applicationId + ", RefId: " + referenceId);
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(applicationId, referenceId, uTCCurrentDateTime);
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.size() > 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        List<KeyAlias> list2 = keyAliases.get(KeymanagerConstant.KEYALIAS);
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        LocalDateTime convertToUTC = this.keymanagerUtil.convertToUTC(x509Certificate.getNotBefore());
        LocalDateTime convertToUTC2 = this.keymanagerUtil.convertToUTC(x509Certificate.getNotAfter());
        if (list.isEmpty() && list2.isEmpty()) {
            return storeAndBuildResponse(applicationId, referenceId, x509Certificate, convertToUTC, convertToUTC2);
        }
        if (list.isEmpty() && list2.size() > 0) {
            if (this.dbHelper.getKeyStoreFromDB(list2.get(0).getAlias()).isPresent()) {
                return storeAndBuildResponse(applicationId, referenceId, x509Certificate, convertToUTC, convertToUTC2);
            }
            LOGGER.error(KeymanagerConstant.SESSIONID, "", "", "Other valid key is available, so not allowed to upload certificate.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorMessage());
        }
        String alias = list.get(0).getAlias();
        Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(alias);
        if (!keyStoreFromDB.isPresent() && list.size() == 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, "", "", "Other valid key is available, so not allowed to upload certificate.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorMessage());
        }
        String masterAlias = keyStoreFromDB.get().getMasterAlias();
        String privateKey = keyStoreFromDB.get().getPrivateKey();
        if (!alias.equals(masterAlias) || !privateKey.equals(KeymanagerConstant.KS_PK_NA)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to update certificate for other domains.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.UPLOAD_NOT_ALLOWED.getErrorMessage());
        }
        this.dbHelper.storeKeyInAlias(applicationId, list.get(0).getKeyGenerationTime(), referenceId, alias, uTCCurrentDateTime.minusMinutes(1L));
        return storeAndBuildResponse(applicationId, referenceId, x509Certificate, convertToUTC, convertToUTC2);
    }

    private UploadCertificateResponseDto storeAndBuildResponse(String str, String str2, X509Certificate x509Certificate, LocalDateTime localDateTime, LocalDateTime localDateTime2) {
        String uuid = UUID.randomUUID().toString();
        this.dbHelper.storeKeyInDBStore(uuid, uuid, this.keymanagerUtil.getPEMFormatedData(x509Certificate), KeymanagerConstant.KS_PK_NA);
        this.dbHelper.storeKeyInAlias(str, localDateTime, str2, uuid, localDateTime2);
        UploadCertificateResponseDto uploadCertificateResponseDto = new UploadCertificateResponseDto();
        uploadCertificateResponseDto.setStatus(KeymanagerConstant.UPLOAD_SUCCESS);
        uploadCertificateResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return uploadCertificateResponseDto;
    }

    @Override // io.mosip.kernel.keymanagerservice.service.KeymanagerService
    public SymmetricKeyGenerateResponseDto generateSymmetricKey(SymmetricKeyGenerateRequestDto symmetricKeyGenerateRequestDto) {
        String applicationId = symmetricKeyGenerateRequestDto.getApplicationId();
        String referenceId = symmetricKeyGenerateRequestDto.getReferenceId();
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, applicationId, KeymanagerConstant.REQ_SYM_KEY_GEN);
        if (!this.keymanagerUtil.isValidReferenceId(referenceId) || !this.keymanagerUtil.isValidApplicationId(applicationId)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Invalid Data provided to generate symmetric key.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.INVALID_REQUEST.getErrorCode(), KeymanagerErrorConstant.INVALID_REQUEST.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, applicationId, "to get KeyInfo for application ID: " + applicationId + ", RefId: " + referenceId);
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        List<KeyAlias> list = this.dbHelper.getKeyAliases(applicationId, referenceId, uTCCurrentDateTime).get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.size() > 1) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "CurrentKeyAlias size more than one");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (!symmetricKeyGenerateRequestDto.getForce().booleanValue()) {
            return list.size() == 1 ? buildSymGenKeyRespObject(uTCCurrentDateTime, KeymanagerConstant.SYMM_KEY_EXISTS) : generateAndBuildResponse(applicationId, referenceId, uTCCurrentDateTime);
        }
        LOGGER.debug(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, applicationId, "Force Flag is True, Invalidating the existing key and generating new key.");
        LocalDateTime minusMinutes = uTCCurrentDateTime.minusMinutes(1L);
        list.forEach(keyAlias -> {
            this.dbHelper.storeKeyInAlias(applicationId, keyAlias.getKeyGenerationTime(), referenceId, keyAlias.getAlias(), minusMinutes);
        });
        return generateAndBuildResponse(applicationId, referenceId, uTCCurrentDateTime);
    }

    private SymmetricKeyGenerateResponseDto generateAndBuildResponse(String str, String str2, LocalDateTime localDateTime) {
        String uuid = UUID.randomUUID().toString();
        LocalDateTime plusDays = localDateTime.plusDays(3650L);
        this.keyStore.generateAndStoreSymmetricKey(uuid);
        this.dbHelper.storeKeyInAlias(str, localDateTime, str2, uuid, plusDays);
        return buildSymGenKeyRespObject(localDateTime, KeymanagerConstant.GENERATE_SUCCESS);
    }

    private SymmetricKeyGenerateResponseDto buildSymGenKeyRespObject(LocalDateTime localDateTime, String str) {
        SymmetricKeyGenerateResponseDto symmetricKeyGenerateResponseDto = new SymmetricKeyGenerateResponseDto();
        symmetricKeyGenerateResponseDto.setStatus(str);
        symmetricKeyGenerateResponseDto.setTimestamp(localDateTime);
        return symmetricKeyGenerateResponseDto;
    }
}
