package io.mosip.kernel.zkcryptoservice.service.impl;

import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.cryptomanager.util.CryptomanagerUtils;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyRequestDto;
import io.mosip.kernel.keymanagerservice.entity.KeyAlias;
import io.mosip.kernel.keymanagerservice.exception.NoUniqueAliasException;
import io.mosip.kernel.keymanagerservice.helper.KeymanagerDBHelper;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.repository.DataEncryptKeystoreRepository;
import io.mosip.kernel.keymanagerservice.repository.KeyStoreRepository;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import io.mosip.kernel.zkcryptoservice.constant.ZKCryptoErrorConstants;
import io.mosip.kernel.zkcryptoservice.constant.ZKCryptoManagerConstants;
import io.mosip.kernel.zkcryptoservice.dto.CryptoDataDto;
import io.mosip.kernel.zkcryptoservice.dto.ReEncryptRandomKeyResponseDto;
import io.mosip.kernel.zkcryptoservice.dto.ZKCryptoRequestDto;
import io.mosip.kernel.zkcryptoservice.dto.ZKCryptoResponseDto;
import io.mosip.kernel.zkcryptoservice.exception.ZKCryptoException;
import io.mosip.kernel.zkcryptoservice.exception.ZKKeyDerivationException;
import io.mosip.kernel.zkcryptoservice.exception.ZKRandomKeyDecryptionException;
import io.mosip.kernel.zkcryptoservice.service.spi.ZKCryptoManagerService;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ThreadLocalRandom;
import java.util.stream.Stream;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Service
/* loaded from: input_file:io/mosip/kernel/zkcryptoservice/service/impl/ZKCryptoManagerServiceImpl.class */
public class ZKCryptoManagerServiceImpl implements ZKCryptoManagerService, InitializingBean {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(ZKCryptoManagerServiceImpl.class);

    @Value("${mosip.kernel.crypto.symmetric-algorithm-name}")
    private String aesGCMTransformation;

    @Value("${mosip.kernel.zkcrypto.masterkey.application.id}")
    private String masterKeyAppId;

    @Value("${mosip.kernel.zkcrypto.masterkey.reference.id}")
    private String masterKeyRefId;

    @Value("${mosip.kernel.zkcrypto.publickey.application.id}")
    private String pubKeyApplicationId;

    @Value("${mosip.kernel.zkcrypto.publickey.reference.id}")
    private String pubKeyReferenceId;

    @Value("${mosip.kernel.zkcrypto.wrap.algorithm-name}")
    private String aesECBTransformation;

    @Value("${mosip.kernel.zkcrypto.derive.encrypt.algorithm-name}")
    private String aesECBPKCS5Transformation;

    @Autowired
    private DataEncryptKeystoreRepository dataEncryptKeystoreRepository;

    @Autowired
    private KeymanagerDBHelper dbHelper;

    @Autowired
    private KeyStoreRepository keyStoreRepository;

    @Autowired
    private KeyStore keyStore;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    private KeymanagerService keyManagerService;

    @Autowired
    CryptomanagerUtils cryptomanagerUtil;

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    public void afterPropertiesSet() throws Exception {
        for (int i = 0; i < 3; i++) {
            try {
                LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.ZK_ENCRYPT, "", "Temporary solution to handle the first time decryption failure.");
                getDecryptedRandomKey("Tk8tU0VDRVJULUFWQUlMQUJMRS1URU1QLUZJWElORy0=");
            } catch (Throwable th) {
            }
        }
    }

    @Override // io.mosip.kernel.zkcryptoservice.service.spi.ZKCryptoManagerService
    public ZKCryptoResponseDto zkEncrypt(ZKCryptoRequestDto zKCryptoRequestDto) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.ZK_ENCRYPT, "", "Zero Knowledge Encryption.");
        String id = zKCryptoRequestDto.getId();
        Stream<CryptoDataDto> stream = zKCryptoRequestDto.getZkDataAttributes().stream();
        int randomKeyIndex = getRandomKeyIndex();
        Key decryptedRandomKey = getDecryptedRandomKey(this.dataEncryptKeystoreRepository.findKeyById(Integer.valueOf(randomKeyIndex)));
        Key derivedKey = getDerivedKey(id, decryptedRandomKey);
        SecureRandom secureRandom = new SecureRandom();
        ArrayList arrayList = new ArrayList();
        stream.forEach(cryptoDataDto -> {
            String identifier = cryptoDataDto.getIdentifier();
            byte[] bytes = cryptoDataDto.getValue().getBytes();
            byte[] bArr = new byte[12];
            byte[] bArr2 = new byte[32];
            secureRandom.nextBytes(bArr);
            secureRandom.nextBytes(bArr2);
            arrayList.add(getResponseCryptoData(doCipherOps(derivedKey, bytes, 1, bArr, bArr2), getIndexBytes(randomKeyIndex), bArr, bArr2, identifier));
        });
        ZKCryptoResponseDto zKCryptoResponseDto = new ZKCryptoResponseDto();
        zKCryptoResponseDto.setRankomKeyIndex(Integer.toString(randomKeyIndex));
        zKCryptoResponseDto.setZkDataAttributes(arrayList);
        zKCryptoResponseDto.setEncryptedRandomKey(encryptRandomKey(decryptedRandomKey));
        this.keymanagerUtil.destoryKey((SecretKey) decryptedRandomKey);
        return zKCryptoResponseDto;
    }

    @Override // io.mosip.kernel.zkcryptoservice.service.spi.ZKCryptoManagerService
    public ZKCryptoResponseDto zkDecrypt(ZKCryptoRequestDto zKCryptoRequestDto) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.ZK_DECRYPT, "", "Zero Knowledge Decryption.");
        String id = zKCryptoRequestDto.getId();
        Stream<CryptoDataDto> stream = zKCryptoRequestDto.getZkDataAttributes().stream();
        ArrayList arrayList = new ArrayList();
        stream.forEach(cryptoDataDto -> {
            String identifier = cryptoDataDto.getIdentifier();
            byte[] decodeBase64 = CryptoUtil.decodeBase64(cryptoDataDto.getValue());
            byte[] copyOfRange = Arrays.copyOfRange(decodeBase64, 0, 4);
            byte[] copyOfRange2 = Arrays.copyOfRange(decodeBase64, 4, 16);
            byte[] copyOfRange3 = Arrays.copyOfRange(decodeBase64, 16, 48);
            byte[] copyOfRange4 = Arrays.copyOfRange(decodeBase64, 48, decodeBase64.length);
            Key decryptedRandomKey = getDecryptedRandomKey(this.dataEncryptKeystoreRepository.findKeyById(Integer.valueOf(getIndexInt(copyOfRange))));
            arrayList.add(getResponseCryptoData(doCipherOps(getDerivedKey(id, decryptedRandomKey), copyOfRange4, 2, copyOfRange2, copyOfRange3), identifier));
            this.keymanagerUtil.destoryKey((SecretKey) decryptedRandomKey);
        });
        ZKCryptoResponseDto zKCryptoResponseDto = new ZKCryptoResponseDto();
        zKCryptoResponseDto.setZkDataAttributes(arrayList);
        return zKCryptoResponseDto;
    }

    private int getRandomKeyIndex() {
        List<Integer> idsByKeyStatus = this.dataEncryptKeystoreRepository.getIdsByKeyStatus(ZKCryptoManagerConstants.ACTIVE_STATUS);
        return idsByKeyStatus.get(ThreadLocalRandom.current().nextInt(0, idsByKeyStatus.size() + 1)).intValue();
    }

    private int getIndexInt(byte[] bArr) {
        return ByteBuffer.wrap(bArr).getInt();
    }

    private Key getDecryptedRandomKey(String str) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.RANDOM_KEY, ZKCryptoManagerConstants.RANDOM_KEY, "Random Key Decryption.");
        byte[] doFinal = doFinal(str, 2);
        return new SecretKeySpec(doFinal, 0, doFinal.length, "AES");
    }

    private String getEncryptedRandomKey(String str) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.RANDOM_KEY, ZKCryptoManagerConstants.RANDOM_KEY, "Random Key Encryption.");
        return Base64.getEncoder().encodeToString(doFinal(str, 1));
    }

    private byte[] doFinal(String str, int i) {
        try {
            Cipher cipher = Cipher.getInstance(this.aesECBTransformation);
            byte[] decode = Base64.getDecoder().decode(str);
            cipher.init(i, getMasterKeyFromHSM());
            return cipher.doFinal(decode, 0, decode.length);
        } catch (IllegalArgumentException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.RANDOM_KEY, "", "Error Cipher Operations of Random Key.");
            throw new ZKKeyDerivationException(ZKCryptoErrorConstants.RANDOM_KEY_CIPHER_FAILED.getErrorCode(), ZKCryptoErrorConstants.RANDOM_KEY_CIPHER_FAILED.getErrorMessage());
        }
    }

    private Key getDerivedKey(String str, Key key) {
        try {
            LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.DERIVE_KEY, ZKCryptoManagerConstants.DERIVE_KEY, "Derive key with Random Key.");
            byte[] bytes = str.getBytes();
            MessageDigest messageDigest = MessageDigest.getInstance(ZKCryptoManagerConstants.HASH_ALGO);
            messageDigest.update(bytes, 0, bytes.length);
            byte[] digest = messageDigest.digest();
            Cipher cipher = Cipher.getInstance(this.aesECBTransformation);
            cipher.init(1, key);
            byte[] doFinal = cipher.doFinal(digest, 0, digest.length);
            return new SecretKeySpec(doFinal, 0, doFinal.length, "AES");
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.DERIVE_KEY, "", "Error Deriving Key with Random Key." + e.getMessage());
            throw new ZKRandomKeyDecryptionException(ZKCryptoErrorConstants.KEY_DERIVATION_ERROR.getErrorCode(), ZKCryptoErrorConstants.KEY_DERIVATION_ERROR.getErrorMessage());
        }
    }

    private Key getMasterKeyFromHSM() {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.MASTER_KEY, ZKCryptoManagerConstants.RANDOM_KEY, "Retrieve Master Key from HSM.");
        String keyAlias = getKeyAlias(this.masterKeyAppId, this.masterKeyRefId);
        if (Objects.nonNull(keyAlias)) {
            return this.keyStore.getSymmetricKey(keyAlias);
        }
        LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.MASTER_KEY, ZKCryptoManagerConstants.MASTER_KEY, "No Key Alias found.");
        throw new NoUniqueAliasException(ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorCode(), ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorMessage());
    }

    private String getKeyAlias(String str, String str2) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.MASTER_KEY, ZKCryptoManagerConstants.RANDOM_KEY, "Retrieve Master Key Alias from DB.");
        List<KeyAlias> list = this.dbHelper.getKeyAliases(str, str2, DateUtils.getUTCCurrentDateTime()).get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.isEmpty() || list.size() != 1) {
            LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.MASTER_KEY, ZKCryptoManagerConstants.RANDOM_KEY, "CurrentKeyAlias is not unique. KeyAlias count: " + list.size());
            throw new NoUniqueAliasException(ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorCode(), ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.MASTER_CURRENT_ALIAS, "getKeyAlias", "CurrentKeyAlias size is one. Will decrypt random symmetric key for this alias");
        return list.get(0).getAlias();
    }

    private byte[] doCipherOps(Key key, byte[] bArr, int i, byte[] bArr2, byte[] bArr3) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.DATA_CIPHER, "", "Data Encryption/Decryption Process");
        try {
            Cipher cipher = Cipher.getInstance(this.aesGCMTransformation);
            cipher.init(i, key, new GCMParameterSpec(128, bArr2));
            cipher.updateAAD(bArr3);
            return cipher.doFinal(bArr, 0, bArr.length);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.DATA_CIPHER, ZKCryptoManagerConstants.DATA_CIPHER, "Error Ciphering inputed data." + e.getMessage());
            throw new ZKCryptoException(ZKCryptoErrorConstants.DATA_CIPHER_OPS_ERROR.getErrorCode(), ZKCryptoErrorConstants.DATA_CIPHER_OPS_ERROR.getErrorMessage());
        }
    }

    private byte[] getIndexBytes(int i) {
        ByteBuffer allocate = ByteBuffer.allocate(4);
        allocate.putInt(i);
        return allocate.array();
    }

    private CryptoDataDto getResponseCryptoData(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4, String str) {
        byte[] bArr5 = new byte[bArr.length + bArr2.length + 32 + 12];
        System.arraycopy(bArr2, 0, bArr5, 0, bArr2.length);
        System.arraycopy(bArr3, 0, bArr5, bArr2.length, bArr3.length);
        System.arraycopy(bArr4, 0, bArr5, bArr2.length + bArr3.length, bArr4.length);
        System.arraycopy(bArr, 0, bArr5, bArr2.length + bArr3.length + bArr4.length, bArr.length);
        String encodeBase64 = CryptoUtil.encodeBase64(bArr5);
        CryptoDataDto cryptoDataDto = new CryptoDataDto();
        cryptoDataDto.setIdentifier(str);
        cryptoDataDto.setValue(encodeBase64);
        return cryptoDataDto;
    }

    private CryptoDataDto getResponseCryptoData(byte[] bArr, String str) {
        String str2 = new String(bArr);
        CryptoDataDto cryptoDataDto = new CryptoDataDto();
        cryptoDataDto.setIdentifier(str);
        cryptoDataDto.setValue(str2);
        return cryptoDataDto;
    }

    private String encryptRandomKey(Key key) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.ENCRYPT_RANDOM_KEY, "", "Encrypting Random Key with Public Key.");
        Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> findByAlias = this.keyStoreRepository.findByAlias(getKeyAlias(this.pubKeyApplicationId, this.pubKeyReferenceId));
        if (!findByAlias.isPresent()) {
            LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.ENCRYPT_RANDOM_KEY, ZKCryptoManagerConstants.ENCRYPT_RANDOM_KEY, "Key in DBStore does not exist for this alias. Throwing exception");
            throw new NoUniqueAliasException(ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorCode(), ZKCryptoErrorConstants.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(findByAlias.get().getCertificateData());
        byte[] bArr = (byte[]) this.cryptoCore.asymmetricEncrypt(x509Certificate.getPublicKey(), key.getEncoded());
        return CryptoUtil.encodeBase64(this.cryptomanagerUtil.concatCertThumbprint(this.cryptomanagerUtil.getCertificateThumbprint(x509Certificate), bArr));
    }

    @Override // io.mosip.kernel.zkcryptoservice.service.spi.ZKCryptoManagerService
    public ReEncryptRandomKeyResponseDto zkReEncryptRandomKey(String str) {
        LOGGER.info(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.RE_ENCRYPT_RANDOM_KEY, "", "Re-Encrypt Random Key.");
        if (str == null || str.trim().isEmpty()) {
            LOGGER.error(ZKCryptoManagerConstants.SESSIONID, ZKCryptoManagerConstants.RE_ENCRYPT_RANDOM_KEY, ZKCryptoManagerConstants.RE_ENCRYPT_RANDOM_KEY, "Invalid Encrypted Key input.");
            throw new ZKCryptoException(ZKCryptoErrorConstants.INVALID_ENCRYPTED_RANDOM_KEY.getErrorCode(), ZKCryptoErrorConstants.INVALID_ENCRYPTED_RANDOM_KEY.getErrorMessage());
        }
        String encryptedRandomKey = getEncryptedRandomKey(Base64.getEncoder().encodeToString(CryptoUtil.decodeBase64(this.keyManagerService.decryptSymmetricKey(new SymmetricKeyRequestDto(this.pubKeyApplicationId, DateUtils.getUTCCurrentDateTime(), this.pubKeyReferenceId, str, true)).getSymmetricKey())));
        ReEncryptRandomKeyResponseDto reEncryptRandomKeyResponseDto = new ReEncryptRandomKeyResponseDto();
        reEncryptRandomKeyResponseDto.setEncryptedKey(encryptedRandomKey);
        return reEncryptRandomKeyResponseDto;
    }
}
