package io.mosip.kernel.keymanagerservice.helper;

import io.mosip.kernel.core.crypto.exception.InvalidDataException;
import io.mosip.kernel.core.crypto.exception.InvalidKeyException;
import io.mosip.kernel.core.crypto.exception.NullDataException;
import io.mosip.kernel.core.crypto.exception.NullKeyException;
import io.mosip.kernel.core.crypto.exception.NullMethodException;
import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.cryptomanager.util.CryptomanagerUtils;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerErrorConstant;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyRequestDto;
import io.mosip.kernel.keymanagerservice.dto.SymmetricKeyResponseDto;
import io.mosip.kernel.keymanagerservice.entity.KeyAlias;
import io.mosip.kernel.keymanagerservice.exception.CryptoException;
import io.mosip.kernel.keymanagerservice.exception.KeymanagerServiceException;
import io.mosip.kernel.keymanagerservice.exception.NoUniqueAliasException;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.LocalDateTime;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.SecretKey;
import org.bouncycastle.util.encoders.Hex;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/mosip/kernel/keymanagerservice/helper/SessionKeyDecrytorHelper.class */
public class SessionKeyDecrytorHelper {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(SessionKeyDecrytorHelper.class);

    @Autowired
    private CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    private KeymanagerDBHelper dbHelper;

    @Autowired
    CryptomanagerUtils cryptomanagerUtil;

    @Autowired
    private KeyStore keyStore;
    private Map<String, io.mosip.kernel.keymanagerservice.entity.KeyStore> cacheKeyStore = new ConcurrentHashMap();
    private Map<String, String> cacheReferenceIds = new ConcurrentHashMap();

    public SymmetricKeyResponseDto decryptSessionKey(SymmetricKeyRequestDto symmetricKeyRequestDto) {
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        String applicationId = symmetricKeyRequestDto.getApplicationId();
        String referenceId = symmetricKeyRequestDto.getReferenceId();
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "Request Application Id: " + applicationId);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "Request Reference Id: " + referenceId);
        Boolean prependThumbprint = symmetricKeyRequestDto.getPrependThumbprint();
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "prependThumbprint Value(Request): " + prependThumbprint);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.SYMMETRICKEYREQUEST, symmetricKeyRequestDto.getApplicationId(), "prependThumbprint Value: " + (prependThumbprint == null ? false : symmetricKeyRequestDto.getPrependThumbprint().booleanValue()));
        byte[] decodeURLSafeBase64 = CryptoUtil.decodeURLSafeBase64(symmetricKeyRequestDto.getEncryptedSymmetricKey());
        return decodeURLSafeBase64.length != 288 ? decryptSymmetricKeyNoKeyIdentifier(applicationId, referenceId, decodeURLSafeBase64, uTCCurrentDateTime) : decryptSymmetricKeyWithKeyIdentifier(applicationId, referenceId, decodeURLSafeBase64, uTCCurrentDateTime);
    }

    private SymmetricKeyResponseDto decryptSymmetricKeyWithKeyIdentifier(String str, String str2, byte[] bArr, LocalDateTime localDateTime) {
        byte[] copyOfRange = Arrays.copyOfRange(bArr, 0, 32);
        byte[] copyOfRange2 = Arrays.copyOfRange(bArr, 32, bArr.length);
        String upperCase = Hex.toHexString(copyOfRange).toUpperCase();
        io.mosip.kernel.keymanagerservice.entity.KeyStore orDefault = this.cacheKeyStore.getOrDefault(upperCase, null);
        String str3 = str + "-" + str2;
        String str4 = str + "-COMP_MASTER";
        if (Objects.isNull(orDefault)) {
            orDefault = this.dbHelper.getKeyAlias(upperCase, str3, str, str2);
            this.cacheKeyStore.put(upperCase, orDefault);
            if (Objects.isNull(orDefault.getPrivateKey())) {
                this.cacheReferenceIds.put(upperCase, str4);
            } else {
                this.cacheReferenceIds.put(upperCase, str3);
            }
        }
        String orDefault2 = this.cacheReferenceIds.getOrDefault(upperCase, null);
        if (!str3.equals(orDefault2) && !str4.equals(orDefault2)) {
            LOGGER.error(KeymanagerConstant.SESSIONID, "", "", "Application Id & Reference ID not matching with the input thumbprint value(decrypt).");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.APP_ID_REFERENCE_ID_NOT_MATCHING.getErrorCode(), KeymanagerErrorConstant.APP_ID_REFERENCE_ID_NOT_MATCHING.getErrorMessage());
        }
        SymmetricKeyResponseDto symmetricKeyResponseDto = new SymmetricKeyResponseDto();
        symmetricKeyResponseDto.setSymmetricKey(CryptoUtil.encodeToURLSafeBase64(decryptSessionKeyWithCertificateThumbprint(orDefault, copyOfRange2, str2)));
        return symmetricKeyResponseDto;
    }

    private byte[] decryptSessionKeyWithCertificateThumbprint(io.mosip.kernel.keymanagerservice.entity.KeyStore keyStore, byte[] bArr, String str) {
        Object[] keyObjects = getKeyObjects(keyStore);
        PrivateKey privateKey = (PrivateKey) keyObjects[0];
        try {
            byte[] bArr2 = (byte[]) this.cryptoCore.asymmetricDecrypt(privateKey, ((Certificate) keyObjects[1]).getPublicKey(), bArr);
            if (this.keymanagerUtil.isValidReferenceId(str)) {
                this.keymanagerUtil.destoryKey(privateKey);
            }
            return bArr2;
        } catch (InvalidKeyException e) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, KeymanagerConstant.REFERENCEID, "Error occurred because of mismatch with keys. Try with keys for decryption.");
            throw new CryptoException(KeymanagerErrorConstant.SYMMETRIC_KEY_DECRYPTION_FAILED.getErrorCode(), KeymanagerErrorConstant.SYMMETRIC_KEY_DECRYPTION_FAILED.getErrorMessage() + e.getMessage(), e);
        }
    }

    private Object[] getKeyObjects(io.mosip.kernel.keymanagerservice.entity.KeyStore keyStore) {
        String alias = keyStore.getAlias();
        String privateKey = keyStore.getPrivateKey();
        if (Objects.isNull(privateKey)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Private not found in key store. Getting private key from HSM.");
            KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(alias);
            return new Object[]{asymmetricKey.getPrivateKey(), asymmetricKey.getCertificate()};
        }
        if (alias.equals(keyStore.getMasterAlias()) || privateKey.equals("NA")) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to perform decryption with other domain key.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorMessage());
        }
        KeyStore.PrivateKeyEntry asymmetricKey2 = this.keyStore.getAsymmetricKey(keyStore.getMasterAlias());
        try {
            return new Object[]{KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(this.keymanagerUtil.decryptKey(CryptoUtil.decodeURLSafeBase64(keyStore.getPrivateKey()), asymmetricKey2.getPrivateKey(), asymmetricKey2.getCertificate().getPublicKey()))), this.keymanagerUtil.convertToCertificate(keyStore.getCertificateData())};
        } catch (InvalidDataException | InvalidKeyException | NullDataException | NullKeyException | NullMethodException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new CryptoException(KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorCode(), KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getMessage(), e);
        }
    }

    private Object[] getKeyObjects(List<KeyAlias> list, List<KeyAlias> list2, LocalDateTime localDateTime, String str, byte[] bArr, String str2) {
        if (list2.size() == 1) {
            LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list2.get(0).getAlias(), "CurrentKeyAlias size is one. Will decrypt symmetric key with this alias after thumbprint matches.");
            Object[] privateKey = getPrivateKey(str, list2.get(0));
            if (bArr == null) {
                return privateKey;
            }
            if (Arrays.equals(bArr, this.cryptomanagerUtil.getCertificateThumbprint((Certificate) privateKey[1]))) {
                return privateKey;
            }
        }
        if ((list.isEmpty() || list2.size() > 1) && bArr == null) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, String.valueOf(list2.size()), "KeyAlias is empty or current key alias is not unique & certificate thumbprint is null. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, "", "CurrentKeyAlias size is zero or thumbprint not matched now checking other expired key aliases to compare thumbprint.");
        Iterator<KeyAlias> it = list.iterator();
        while (it.hasNext()) {
            Object[] privateKey2 = getPrivateKey(str, it.next());
            if (Arrays.equals(bArr, this.cryptomanagerUtil.getCertificateThumbprint((Certificate) privateKey2[1]))) {
                return privateKey2;
            }
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, "", "Base key certificate thumbprint did not matched with thumbprint in encrypted data, Checking thumbprint match with master key.");
        Iterator<KeyAlias> it2 = this.dbHelper.getKeyAliases(str2, "", localDateTime).get(KeymanagerConstant.KEYALIAS).iterator();
        while (it2.hasNext()) {
            Object[] privateKey3 = getPrivateKey("", it2.next());
            if (Arrays.equals(bArr, this.cryptomanagerUtil.getCertificateThumbprint((Certificate) privateKey3[1]))) {
                return privateKey3;
            }
        }
        LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, "", "No Key Alias for the thumbprint provided (After comparing all thumbprints), Throwing exception");
        throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
    }

    private Object[] getPrivateKey(String str, KeyAlias keyAlias) {
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.REFERENCEID, str, KeymanagerConstant.GETPRIVATEKEY);
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.FETCHEDKEYALIAS, keyAlias.getAlias(), KeymanagerConstant.GETPRIVATEKEY);
        if (!this.keymanagerUtil.isValidReferenceId(str)) {
            LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Not valid reference Id. Getting private key from HSM.");
            KeyStore.PrivateKeyEntry asymmetricKey = this.keyStore.getAsymmetricKey(keyAlias.getAlias());
            return new Object[]{asymmetricKey.getPrivateKey(), asymmetricKey.getCertificate()};
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, "", "", "Valid reference Id. Getting private key from DB Store");
        String alias = keyAlias.getAlias();
        Optional<io.mosip.kernel.keymanagerservice.entity.KeyStore> keyStoreFromDB = this.dbHelper.getKeyStoreFromDB(alias);
        if (!keyStoreFromDB.isPresent()) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYFROMDB, keyStoreFromDB.toString(), "Key in DBStore does not exist for this alias. Throwing exception");
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        String masterAlias = keyStoreFromDB.get().getMasterAlias();
        String privateKey = keyStoreFromDB.get().getPrivateKey();
        if (alias.equals(masterAlias) || privateKey.equals("NA")) {
            LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, (String) null, "Not Allowed to perform decryption with other domain key.");
            throw new KeymanagerServiceException(KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorCode(), KeymanagerErrorConstant.DECRYPTION_NOT_ALLOWED.getErrorMessage());
        }
        KeyStore.PrivateKeyEntry asymmetricKey2 = this.keyStore.getAsymmetricKey(keyStoreFromDB.get().getMasterAlias());
        try {
            return new Object[]{KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(this.keymanagerUtil.decryptKey(CryptoUtil.decodeURLSafeBase64(keyStoreFromDB.get().getPrivateKey()), asymmetricKey2.getPrivateKey(), asymmetricKey2.getCertificate().getPublicKey()))), this.keymanagerUtil.convertToCertificate(keyStoreFromDB.get().getCertificateData())};
        } catch (InvalidDataException | InvalidKeyException | NullDataException | NullKeyException | NullMethodException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new CryptoException(KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorCode(), KeymanagerErrorConstant.CRYPTO_EXCEPTION.getErrorMessage() + e.getMessage(), e);
        }
    }

    private SymmetricKeyResponseDto decryptSymmetricKeyNoKeyIdentifier(String str, String str2, byte[] bArr, LocalDateTime localDateTime) {
        SymmetricKeyResponseDto symmetricKeyResponseDto = new SymmetricKeyResponseDto();
        symmetricKeyResponseDto.setSymmetricKey(CryptoUtil.encodeToURLSafeBase64(decryptSessionKeyNoKeyIdentifier(str, str2, localDateTime, bArr, null, false)));
        return symmetricKeyResponseDto;
    }

    /* JADX WARN: Removed duplicated region for block: B:28:0x0148  */
    /* JADX WARN: Removed duplicated region for block: B:30:0x014b  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private byte[] decryptSessionKeyNoKeyIdentifier(java.lang.String r10, java.lang.String r11, java.time.LocalDateTime r12, byte[] r13, byte[] r14, boolean r15) {
        /*
            Method dump skipped, instructions count: 334
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: io.mosip.kernel.keymanagerservice.helper.SessionKeyDecrytorHelper.decryptSessionKeyNoKeyIdentifier(java.lang.String, java.lang.String, java.time.LocalDateTime, byte[], byte[], boolean):byte[]");
    }

    private Object[] getPrivateKeyNoKeyIdentifier(List<KeyAlias> list, List<KeyAlias> list2, LocalDateTime localDateTime, String str, byte[] bArr, boolean z, String str2) {
        List<KeyAlias> list3 = list;
        List<KeyAlias> list4 = list2;
        if (list.isEmpty()) {
            Map<String, List<KeyAlias>> keyAliases = this.dbHelper.getKeyAliases(str2, "", localDateTime);
            list3 = keyAliases.get(KeymanagerConstant.KEYALIAS);
            list4 = keyAliases.get(KeymanagerConstant.CURRENTKEYALIAS);
            if (list3.isEmpty()) {
                LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.KEYALIAS, String.valueOf(list.size()), "KeyAlias is empty(no Key Identifier) Throwing exception");
                throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
            }
            if (this.keymanagerUtil.isValidReferenceId(str)) {
                str = "";
            }
        }
        if (!Objects.isNull(bArr) || z) {
            return getKeyObjects(list3, list4, localDateTime, str, bArr, str2);
        }
        LOGGER.info(KeymanagerConstant.SESSIONID, KeymanagerConstant.CURRENTKEYALIAS, list3.get(0).getAlias(), "Thumbprint is value is null and packet Thumbprint Flag is false.");
        return getPrivateKey(str, list3.get(0));
    }

    private byte[] decryptWithKeyAlias(List<KeyAlias> list, String str, byte[] bArr) {
        InvalidKeyException invalidKeyException = null;
        InvalidDataException invalidDataException = null;
        for (KeyAlias keyAlias : list) {
            Object[] privateKey = getPrivateKey(str, keyAlias);
            PrivateKey privateKey2 = (PrivateKey) privateKey[0];
            try {
                byte[] bArr2 = (byte[]) this.cryptoCore.asymmetricDecrypt(privateKey2, ((Certificate) privateKey[1]).getPublicKey(), bArr);
                if (this.keymanagerUtil.isValidReferenceId(str)) {
                    this.keymanagerUtil.destoryKey(privateKey2);
                }
                return bArr2;
            } catch (InvalidKeyException e) {
                LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, KeymanagerConstant.REFERENCEID, "Error occurred because of mismatch with keys. Try with other current key for decryption. key Alias: " + keyAlias);
                invalidKeyException = e;
            } catch (InvalidDataException e2) {
                LOGGER.error(KeymanagerConstant.SESSIONID, KeymanagerConstant.APPLICATIONID, KeymanagerConstant.REFERENCEID, "Error occurred because of mismatch with keys. Try with other current key for decryption. key Alias: " + keyAlias);
                invalidDataException = e2;
            }
        }
        if (invalidKeyException == null) {
            throw invalidDataException;
        }
        throw invalidKeyException;
    }
}
