package io.mosip.kernel.keymigrate.service.impl;

import io.mosip.kernel.core.crypto.exception.InvalidDataException;
import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.cryptomanager.util.CryptomanagerUtils;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerErrorConstant;
import io.mosip.kernel.keymanagerservice.entity.DataEncryptKeystore;
import io.mosip.kernel.keymanagerservice.entity.KeyAlias;
import io.mosip.kernel.keymanagerservice.exception.NoUniqueAliasException;
import io.mosip.kernel.keymanagerservice.helper.KeymanagerDBHelper;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.repository.DataEncryptKeystoreRepository;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import io.mosip.kernel.keymigrate.constant.KeyMigratorConstants;
import io.mosip.kernel.keymigrate.dto.KeyMigrateBaseKeyRequestDto;
import io.mosip.kernel.keymigrate.dto.KeyMigrateBaseKeyResponseDto;
import io.mosip.kernel.keymigrate.dto.ZKKeyDataDto;
import io.mosip.kernel.keymigrate.dto.ZKKeyMigrateCertficateResponseDto;
import io.mosip.kernel.keymigrate.dto.ZKKeyMigrateRequestDto;
import io.mosip.kernel.keymigrate.dto.ZKKeyMigrateResponseDto;
import io.mosip.kernel.keymigrate.dto.ZKKeyResponseDto;
import io.mosip.kernel.keymigrate.service.spi.KeyMigratorService;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import java.util.stream.Stream;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Lazy;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Lazy
@Service
/* loaded from: input_file:io/mosip/kernel/keymigrate/service/impl/KeyMigratorServiceImpl.class */
public class KeyMigratorServiceImpl implements KeyMigratorService {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(KeyMigratorServiceImpl.class);
    private static final String CREATED_BY = "System-Migrator";

    @Value("${mosip.kernel.partner.sign.masterkey.application.id:PMS}")
    private String pmsSignAppId;

    @Value("${mosip.kernel.certificate.sign.algorithm:SHA256withRSA}")
    private String signAlgorithm;

    @Value("${mosip.kernel.zkcrypto.masterkey.application.id:KERNEL}")
    private String masterKeyAppId;

    @Value("${mosip.kernel.zkcrypto.masterkey.reference.id:IDENTITY_CACHE}")
    private String masterKeyRefId;

    @Value("${mosip.kernel.zkcrypto.wrap.algorithm-name:AES/ECB/NoPadding}")
    private String aesECBTransformation;

    @Autowired
    private KeymanagerDBHelper dbHelper;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    private KeyStore keyStore;

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    @Autowired
    DataEncryptKeystoreRepository dataEncryptKeystoreRepository;

    @Autowired
    CryptomanagerUtils cryptomanagerUtil;

    @Override // io.mosip.kernel.keymigrate.service.spi.KeyMigratorService
    public KeyMigrateBaseKeyResponseDto migrateBaseKey(KeyMigrateBaseKeyRequestDto keyMigrateBaseKeyRequestDto) {
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.BASE_KEY, "", "Base Key Migration Migration.");
        String applicationId = keyMigrateBaseKeyRequestDto.getApplicationId();
        String referenceId = keyMigrateBaseKeyRequestDto.getReferenceId();
        String encryptedKeyData = keyMigrateBaseKeyRequestDto.getEncryptedKeyData();
        String certificateData = keyMigrateBaseKeyRequestDto.getCertificateData();
        LocalDateTime notBefore = keyMigrateBaseKeyRequestDto.getNotBefore();
        LocalDateTime notAfter = keyMigrateBaseKeyRequestDto.getNotAfter();
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        List<KeyAlias> list = this.dbHelper.getKeyAliases(applicationId, "", uTCCurrentDateTime).get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.isEmpty() && !applicationId.equals("PARTNER")) {
            LOGGER.error(KeyMigratorConstants.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list.size()), "No CurrentKeyAlias found Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        if (isValidKeyExists(applicationId, referenceId, notBefore, notAfter, uTCCurrentDateTime)) {
            LOGGER.error(KeyMigratorConstants.SESSIONID, "", "", "Valid Key Already exists, not allowed to migrate.");
            KeyMigrateBaseKeyResponseDto keyMigrateBaseKeyResponseDto = new KeyMigrateBaseKeyResponseDto();
            keyMigrateBaseKeyResponseDto.setStatus(KeyMigratorConstants.MIGRAION_NOT_ALLOWED);
            keyMigrateBaseKeyResponseDto.setTimestamp(uTCCurrentDateTime);
            return keyMigrateBaseKeyResponseDto;
        }
        String uuid = UUID.randomUUID().toString();
        String alias = list.isEmpty() ? uuid : list.get(0).getAlias();
        String certificateThumbprintInHex = this.cryptomanagerUtil.getCertificateThumbprintInHex((X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData));
        this.dbHelper.storeKeyInDBStore(uuid, alias, certificateData, encryptedKeyData);
        String str = applicationId + "_" + referenceId + "_" + notBefore.format(KeymanagerConstant.DATE_FORMATTER);
        LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Unique Value formatter: " + str);
        this.dbHelper.storeKeyInAlias(applicationId, notBefore, referenceId, uuid, notAfter, certificateThumbprintInHex, this.keymanagerUtil.getUniqueIdentifier(str));
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.BASE_KEY, "", "Migration Completed for App Id:" + applicationId + ", Ref Id: " + referenceId + ", Inserted UUID: " + uuid);
        KeyMigrateBaseKeyResponseDto keyMigrateBaseKeyResponseDto2 = new KeyMigrateBaseKeyResponseDto();
        keyMigrateBaseKeyResponseDto2.setStatus(KeyMigratorConstants.MIGRAION_SUCCESS);
        keyMigrateBaseKeyResponseDto2.setTimestamp(uTCCurrentDateTime);
        return keyMigrateBaseKeyResponseDto2;
    }

    private boolean isValidKeyExists(String str, String str2, LocalDateTime localDateTime, LocalDateTime localDateTime2, LocalDateTime localDateTime3) {
        if (this.dbHelper.getKeyAliases(str, str2, localDateTime3).get(KeymanagerConstant.CURRENTKEYALIAS).isEmpty()) {
            return false;
        }
        if (localDateTime3.isEqual(localDateTime) || localDateTime3.isEqual(localDateTime2)) {
            return true;
        }
        return localDateTime3.isAfter(localDateTime) && localDateTime3.isBefore(localDateTime2);
    }

    @Override // io.mosip.kernel.keymigrate.service.spi.KeyMigratorService
    public ZKKeyMigrateCertficateResponseDto getZKTempCertificate() {
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "Get Temporary Certificate for ZK keys migration.");
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(KeyMigratorConstants.ZK_TEMP_KEY_APP_ID, KeyMigratorConstants.ZK_TEMP_KEY_REF_ID, uTCCurrentDateTime);
        List<KeyAlias> list = keyAliases.get(KeymanagerConstant.KEYALIAS);
        List<KeyAlias> list2 = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
        ZKKeyMigrateCertficateResponseDto zKKeyMigrateCertficateResponseDto = new ZKKeyMigrateCertficateResponseDto();
        if (list2.isEmpty() && list.size() > 0) {
            LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, String.valueOf(list.size()), "Key Exists but expired, so removing the key and generating new key.");
            String alias = list.get(list.size() - 1).getAlias();
            LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "Found Alias to delete key. Alias: " + alias);
            this.keyStore.deleteKey(alias);
            this.dbHelper.storeKeyInAlias(KeyMigratorConstants.ZK_TEMP_KEY_APP_ID, uTCCurrentDateTime, KeyMigratorConstants.ZK_TEMP_KEY_REF_ID, alias, uTCCurrentDateTime, null, null);
        } else {
            if (list2.size() == 1) {
                LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, String.valueOf(list2.size()), "currentKeyAlias size is one, returning the certificate.");
                zKKeyMigrateCertficateResponseDto.setCertificate(this.keymanagerUtil.getPEMFormatedData(this.keyStore.getCertificate(list2.get(0).getAlias())));
                zKKeyMigrateCertficateResponseDto.setTimestamp(uTCCurrentDateTime);
                return zKKeyMigrateCertficateResponseDto;
            }
            if (list2.size() > 1) {
                LOGGER.error(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, String.valueOf(list2.size()), "No CurrentKeyAlias found Throwing exception");
                throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
            }
        }
        String uuid = UUID.randomUUID().toString();
        LocalDateTime plusDays = uTCCurrentDateTime.plusDays(1L);
        this.keyStore.generateAndStoreAsymmetricKey(uuid, (String) null, this.keymanagerUtil.getCertificateParameters(KeyMigratorConstants.ZK_CERT_COMMON_NAME, uTCCurrentDateTime, plusDays));
        String certificateThumbprintInHex = this.cryptomanagerUtil.getCertificateThumbprintInHex((X509Certificate) this.keyStore.getCertificate(uuid));
        String str = "KEY_MIGRATE_ZK_TEMP_KEY_" + certificateThumbprintInHex;
        LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Unique Value formatter: " + str);
        this.dbHelper.storeKeyInAlias(KeyMigratorConstants.ZK_TEMP_KEY_APP_ID, uTCCurrentDateTime, KeyMigratorConstants.ZK_TEMP_KEY_REF_ID, uuid, plusDays, certificateThumbprintInHex, this.keymanagerUtil.getUniqueIdentifier(str));
        zKKeyMigrateCertficateResponseDto.setCertificate(this.keymanagerUtil.getPEMFormatedData(this.keyStore.getCertificate(uuid)));
        zKKeyMigrateCertficateResponseDto.setTimestamp(uTCCurrentDateTime);
        return zKKeyMigrateCertficateResponseDto;
    }

    @Override // io.mosip.kernel.keymigrate.service.spi.KeyMigratorService
    public ZKKeyMigrateResponseDto migrateZKKeys(ZKKeyMigrateRequestDto zKKeyMigrateRequestDto) {
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "ZK keys migration request.");
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        Stream<ZKKeyDataDto> stream = zKKeyMigrateRequestDto.getZkEncryptedDataList().stream();
        boolean booleanValue = zKKeyMigrateRequestDto.getPurgeTempKeyFlag() == null ? false : zKKeyMigrateRequestDto.getPurgeTempKeyFlag().booleanValue();
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "ZK migration keys list size: " + zKKeyMigrateRequestDto.getZkEncryptedDataList().size());
        String keyAlias = getKeyAlias(KeyMigratorConstants.ZK_TEMP_KEY_APP_ID, KeyMigratorConstants.ZK_TEMP_KEY_REF_ID, uTCCurrentDateTime);
        String keyAlias2 = getKeyAlias(this.masterKeyAppId, this.masterKeyRefId, uTCCurrentDateTime);
        KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(keyAlias);
        PrivateKey privateKey = asymmetricKey.getPrivateKey();
        PublicKey publicKey = asymmetricKey.getCertificate().getPublicKey();
        SecretKey symmetricKey = this.keyStore.getSymmetricKey(keyAlias2);
        ArrayList arrayList = new ArrayList();
        stream.forEach(zKKeyDataDto -> {
            byte[] decodeURLSafeBase64 = CryptoUtil.decodeURLSafeBase64(zKKeyDataDto.getEncryptedKeyData());
            int keyIndex = zKKeyDataDto.getKeyIndex();
            ZKKeyResponseDto zKKeyResponseDto = new ZKKeyResponseDto();
            zKKeyResponseDto.setKeyIndex(keyIndex);
            if (isKeyIndexExist(keyIndex)) {
                zKKeyResponseDto.setStatusMessage(KeyMigratorConstants.MIGRAION_NOT_ALLOWED);
            } else {
                byte[] encryptRandomKey = encryptRandomKey(decodeURLSafeBase64, symmetricKey, privateKey, publicKey);
                if (encryptRandomKey != null) {
                    insertKey(keyIndex, Base64.getEncoder().encodeToString(encryptRandomKey), "Active");
                    zKKeyResponseDto.setStatusMessage(KeyMigratorConstants.MIGRAION_SUCCESS);
                } else {
                    zKKeyResponseDto.setStatusMessage(KeyMigratorConstants.MIGRAION_FAILED);
                }
            }
            arrayList.add(zKKeyResponseDto);
        });
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "Purge Flag Value: " + booleanValue);
        if (booleanValue) {
            this.keyStore.deleteKey(keyAlias);
            LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "Key Purged from Store. Key Alias: " + keyAlias);
            this.dbHelper.storeKeyInAlias(KeyMigratorConstants.ZK_TEMP_KEY_APP_ID, uTCCurrentDateTime, KeyMigratorConstants.ZK_TEMP_KEY_REF_ID, keyAlias, uTCCurrentDateTime, null, null);
        }
        ZKKeyMigrateResponseDto zKKeyMigrateResponseDto = new ZKKeyMigrateResponseDto();
        zKKeyMigrateResponseDto.setZkEncryptedDataList(arrayList);
        return zKKeyMigrateResponseDto;
    }

    private String getKeyAlias(String str, String str2, LocalDateTime localDateTime) {
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "Retrieve Master Key Alias from DB. AppId: " + str);
        List<KeyAlias> list = this.dbHelper.getKeyAliases(str, str2, localDateTime).get(KeymanagerConstant.CURRENTKEYALIAS);
        if (list.isEmpty() || list.size() != 1) {
            LOGGER.error(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "", "CurrentKeyAlias is not unique. KeyAlias count: " + list.size());
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        LOGGER.info(KeyMigratorConstants.SESSIONID, KeyMigratorConstants.ZK_KEYS, "getKeyAlias", "CurrentKeyAlias size is one. return the current key alias.");
        return list.get(0).getAlias();
    }

    private byte[] encryptRandomKey(byte[] bArr, Key key, PrivateKey privateKey, PublicKey publicKey) {
        try {
            byte[] bArr2 = (byte[]) this.cryptoCore.asymmetricDecrypt(privateKey, publicKey, bArr);
            Cipher cipher = Cipher.getInstance(this.aesECBTransformation);
            cipher.init(1, key);
            return cipher.doFinal(bArr2, 0, bArr2.length);
        } catch (IllegalArgumentException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | InvalidDataException | io.mosip.kernel.core.crypto.exception.InvalidKeyException e) {
            LOGGER.error(KeyMigratorConstants.SESSIONID, new Object[]{KeyMigratorConstants.ZK_KEYS, "", "Error in encrypting random Key in key migration process.", e});
            return null;
        }
    }

    private boolean isKeyIndexExist(int i) {
        return Objects.nonNull(this.dataEncryptKeystoreRepository.findKeyById(Integer.valueOf(i)));
    }

    private void insertKey(int i, String str, String str2) {
        DataEncryptKeystore dataEncryptKeystore = new DataEncryptKeystore();
        dataEncryptKeystore.setId(Integer.valueOf(i));
        dataEncryptKeystore.setKey(str);
        dataEncryptKeystore.setKeyStatus(str2);
        dataEncryptKeystore.setCrBy(CREATED_BY);
        dataEncryptKeystore.setCrDTimes(LocalDateTime.now());
        this.dataEncryptKeystoreRepository.save(dataEncryptKeystore);
    }
}
