package io.mosip.kernel.partnercertservice.service.impl;

import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.cryptomanager.util.CryptomanagerUtils;
import io.mosip.kernel.keymanager.hsm.util.CertificateUtility;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerConstant;
import io.mosip.kernel.keymanagerservice.dto.SignatureCertificate;
import io.mosip.kernel.keymanagerservice.entity.PartnerCertificateStore;
import io.mosip.kernel.keymanagerservice.exception.KeymanagerServiceException;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import io.mosip.kernel.keymanagerservice.util.KeymanagerUtil;
import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerConstants;
import io.mosip.kernel.partnercertservice.constant.PartnerCertManagerErrorConstants;
import io.mosip.kernel.partnercertservice.dto.CACertificateRequestDto;
import io.mosip.kernel.partnercertservice.dto.CACertificateResponseDto;
import io.mosip.kernel.partnercertservice.dto.CertificateTrustRequestDto;
import io.mosip.kernel.partnercertservice.dto.CertificateTrustResponeDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertDownloadRequestDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertDownloadResponeDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertificateRequestDto;
import io.mosip.kernel.partnercertservice.dto.PartnerCertificateResponseDto;
import io.mosip.kernel.partnercertservice.exception.PartnerCertManagerException;
import io.mosip.kernel.partnercertservice.helper.PartnerCertManagerDBHelper;
import io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService;
import io.mosip.kernel.partnercertservice.util.PartnerCertificateManagerUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.security.auth.x500.X500Principal;
import org.cache2k.Cache;
import org.cache2k.Cache2kBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional
@Service
/* loaded from: input_file:io/mosip/kernel/partnercertservice/service/impl/PartnerCertificateManagerServiceImpl.class */
public class PartnerCertificateManagerServiceImpl implements PartnerCertificateManagerService {
    private static final Logger LOGGER = KeymanagerLogger.getLogger(PartnerCertificateManagerServiceImpl.class);

    @Value("${mosip.kernel.partner.sign.masterkey.application.id}")
    private String masterSignKeyAppId;

    @Value("${mosip.kernel.partner.allowed.domains}")
    private String partnerAllowedDomains;

    @Value("${mosip.kernel.certificate.sign.algorithm:SHA256withRSA}")
    private String signAlgorithm;

    @Value("${mosip.kernel.partner.issuer.certificate.duration.years:1}")
    private int issuerCertDuration;

    @Value("${mosip.kernel.partner.issuer.certificate.allowed.grace.duration:30}")
    private int gracePeriod;

    @Value("${mosip.kernel.partner.truststore.cache.expire.inMins:120}")
    private long cacheExpireInMins;

    @Value("${mosip.kernel.partner.resign.ftm.domain.certs:false}")
    private boolean resignFTMDomainCerts;

    @Value("${mosip.kernel.partner.truststore.cache.disable:false}")
    private boolean disableTrustStoreCache;

    @Autowired
    KeymanagerUtil keymanagerUtil;

    @Autowired
    PartnerCertManagerDBHelper certDBHelper;

    @Autowired
    private KeyStore keyStore;

    @Autowired
    private KeymanagerService keymanagerService;
    private Cache<String, Object> caCertTrustStore = null;

    @Autowired
    CryptomanagerUtils cryptomanagerUtil;

    /* JADX WARN: Type inference failed for: r1v0, types: [io.mosip.kernel.partnercertservice.service.impl.PartnerCertificateManagerServiceImpl$1] */
    @PostConstruct
    public void init() {
        if (this.disableTrustStoreCache) {
            return;
        }
        this.caCertTrustStore = new Cache2kBuilder<String, Object>() { // from class: io.mosip.kernel.partnercertservice.service.impl.PartnerCertificateManagerServiceImpl.1
        }.name("caCertTrustStore-" + hashCode()).expireAfterWrite(this.cacheExpireInMins, TimeUnit.MINUTES).entryCapacity(10L).refreshAhead(true).loaderThreadCount(1).loader(str -> {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, "", "", "Loading CA TrustStore Cache for partnerDomain: " + str);
            return this.certDBHelper.getTrustAnchors(str);
        }).build();
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public CACertificateResponseDto uploadCACertificate(CACertificateRequestDto cACertificateRequestDto) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Uploading CA/Sub-CA Certificate.");
        String certificateData = cACertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Invalid Certificate Data provided to upload the ca/sub-ca certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        List<Certificate> parseCertificateData = parseCertificateData(certificateData);
        int size = parseCertificateData.size();
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Number of Certificates inputed: " + size);
        String validateAllowedDomains = validateAllowedDomains(cACertificateRequestDto.getPartnerDomain());
        boolean z = false;
        boolean z2 = false;
        Iterator<Certificate> it = parseCertificateData.iterator();
        while (it.hasNext()) {
            X509Certificate x509Certificate = (X509Certificate) it.next();
            String certificateThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(x509Certificate);
            if (this.certDBHelper.isCertificateExist(certificateThumbprint, validateAllowedDomains)) {
                LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "CA/sub-CA certificate already exists in Store.");
                if (size == 1) {
                    throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_EXIST_ERROR.getErrorMessage());
                }
                z = true;
            } else if (PartnerCertificateManagerUtil.isCertificateDatesValid(x509Certificate)) {
                String formatCertificateDN = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getSubjectX500Principal().getName());
                String formatCertificateDN2 = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getIssuerX500Principal().getName());
                if (PartnerCertificateManagerUtil.isSelfSignedCertificate(x509Certificate)) {
                    LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Adding Self-signed Certificate in store.");
                    String uuid = UUID.randomUUID().toString();
                    this.certDBHelper.storeCACertificate(uuid, formatCertificateDN, formatCertificateDN2, uuid, x509Certificate, certificateThumbprint, validateAllowedDomains);
                } else {
                    LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Adding Intermediate Certificates in store.");
                    if (validateCertificatePath(x509Certificate, validateAllowedDomains)) {
                        this.certDBHelper.storeCACertificate(UUID.randomUUID().toString(), formatCertificateDN, formatCertificateDN2, this.certDBHelper.getIssuerCertId(formatCertificateDN2), x509Certificate, certificateThumbprint, validateAllowedDomains);
                    } else {
                        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Sub-CA Certificate not allowed to upload as root CA is not available.");
                        if (size == 1) {
                            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.ROOT_CA_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.ROOT_CA_NOT_FOUND.getErrorMessage());
                        }
                        z = true;
                    }
                }
                z2 = true;
                purgeCache(validateAllowedDomains);
            } else {
                LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Certificate Dates are not valid.");
                if (size == 1) {
                    throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
                }
                z = true;
            }
        }
        CACertificateResponseDto cACertificateResponseDto = new CACertificateResponseDto();
        if (z2 && (size == 1 || !z)) {
            cACertificateResponseDto.setStatus(PartnerCertManagerConstants.SUCCESS_UPLOAD);
        } else if (z2 && z) {
            cACertificateResponseDto.setStatus(PartnerCertManagerConstants.PARTIAL_SUCCESS_UPLOAD);
        } else {
            cACertificateResponseDto.setStatus(PartnerCertManagerConstants.UPLOAD_FAILED);
        }
        cACertificateResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return cACertificateResponseDto;
    }

    private List<Certificate> parseCertificateData(String str) {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add((X509Certificate) this.keymanagerUtil.convertToCertificate(str));
            return arrayList;
        } catch (KeymanagerServiceException e) {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Ignore this exception, the exception thrown when certificate is not able to parse, may be p7b certificate data inputed.");
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(CryptoUtil.decodeURLSafeBase64(str));
                try {
                    CertificateFactory.getInstance(KeymanagerConstant.CERTIFICATE_TYPE).generateCertificates(byteArrayInputStream).forEach(obj -> {
                        arrayList.add((Certificate) obj);
                    });
                    Collections.reverse(arrayList);
                    byteArrayInputStream.close();
                    return arrayList;
                } finally {
                }
            } catch (IOException | CertificateException e2) {
                LOGGER.error(PartnerCertManagerConstants.SESSIONID, new Object[]{PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Error Parsing P7B Certificate data.", e2});
                throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
            }
        }
    }

    private String validateAllowedDomains(String str) {
        return ((String) Stream.of((Object[]) this.partnerAllowedDomains.split(PartnerCertManagerConstants.COMMA)).map((v0) -> {
            return v0.trim();
        }).filter(str2 -> {
            return str2.equalsIgnoreCase(str);
        }).findFirst().orElseThrow(() -> {
            return new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_PARTNER_DOMAIN.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_PARTNER_DOMAIN.getErrorMessage());
        })).toUpperCase();
    }

    private List<? extends Certificate> getCertificateTrustPath(X509Certificate x509Certificate, String str) {
        try {
            Map<String, Set<?>> trustAnchors = !this.disableTrustStoreCache ? (Map) this.caCertTrustStore.get(str) : this.certDBHelper.getTrustAnchors(str);
            Set<?> set = trustAnchors.get(PartnerCertManagerConstants.TRUST_ROOT);
            Set<?> set2 = trustAnchors.get(PartnerCertManagerConstants.TRUST_INTER);
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.CERT_TRUST_VALIDATION, "", "Certificate Trust Path Validation for domain: " + str);
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.CERT_TRUST_VALIDATION, "", "Total Number of ROOT Trust Found: " + set.size());
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.CERT_TRUST_VALIDATION, "", "Total Number of INTERMEDIATE Trust Found: " + set2.size());
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) set, (CertSelector) x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(set2)));
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
            X509Certificate trustedCert = pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert();
            List<? extends Certificate> certificates = pKIXCertPathBuilderResult.getCertPath().getCertificates();
            ArrayList arrayList = new ArrayList();
            certificates.stream().forEach(certificate -> {
                arrayList.add(certificate);
            });
            arrayList.add(trustedCert);
            return arrayList;
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertPathBuilderException e) {
            LOGGER.debug(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_CA_CERT, "", "Ignore this exception, the exception thrown when trust validation failed.");
            return null;
        }
    }

    private boolean validateCertificatePath(X509Certificate x509Certificate, String str) {
        return Objects.nonNull(getCertificateTrustPath(x509Certificate, str));
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public PartnerCertificateResponseDto uploadPartnerCertificate(PartnerCertificateRequestDto partnerCertificateRequestDto) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Uploading Partner Certificate.");
        String certificateData = partnerCertificateRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate Data provided to upload the partner certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        String certificateThumbprint = PartnerCertificateManagerUtil.getCertificateThumbprint(x509Certificate);
        String organizationName = partnerCertificateRequestDto.getOrganizationName();
        String validateAllowedDomains = validateAllowedDomains(partnerCertificateRequestDto.getPartnerDomain());
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner certificate upload for domain: " + validateAllowedDomains);
        validateBasicPartnerCertParams(x509Certificate, certificateThumbprint, organizationName, validateAllowedDomains);
        List<? extends Certificate> certificateTrustPath = getCertificateTrustPath(x509Certificate, validateAllowedDomains);
        if (Objects.isNull(certificateTrustPath)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate not allowed to upload as root CA/Intermediate CAs are not found in trust cert path.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.ROOT_INTER_CA_NOT_FOUND.getErrorMessage());
        }
        validateOtherPartnerCertParams(x509Certificate, organizationName);
        String formatCertificateDN = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getSubjectX500Principal().getName());
        String formatCertificateDN2 = PartnerCertificateManagerUtil.formatCertificateDN(x509Certificate.getIssuerX500Principal().getName());
        String issuerCertId = this.certDBHelper.getIssuerCertId(formatCertificateDN2);
        String uuid = UUID.randomUUID().toString();
        X509Certificate x509Certificate2 = (X509Certificate) this.keymanagerUtil.convertToCertificate(this.keymanagerService.getCertificate("ROOT", Optional.of("")).getCertificate());
        SignatureCertificate signatureCertificate = this.keymanagerService.getSignatureCertificate(this.masterSignKeyAppId, Optional.of(""), DateUtils.getUTCCurrentDateTimeString());
        X509Certificate x509Certificate3 = ((X509Certificate[]) signatureCertificate.getCertificateEntry().getChain())[0];
        X509Certificate reSignPartnerKey = reSignPartnerKey(x509Certificate, signatureCertificate, validateAllowedDomains);
        this.certDBHelper.storePartnerCertificate(uuid, formatCertificateDN, formatCertificateDN2, issuerCertId, x509Certificate, certificateThumbprint, organizationName, validateAllowedDomains, this.keymanagerUtil.getPEMFormatedData(reSignPartnerKey));
        String buildP7BCertificateChain = PartnerCertificateManagerUtil.buildP7BCertificateChain(certificateTrustPath, reSignPartnerKey, validateAllowedDomains, this.resignFTMDomainCerts, x509Certificate2, x509Certificate3);
        CACertificateRequestDto cACertificateRequestDto = new CACertificateRequestDto();
        cACertificateRequestDto.setCertificateData(buildP7BCertificateChain);
        cACertificateRequestDto.setPartnerDomain(validateAllowedDomains);
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "Chain Upload Status: ", uploadCACertificate(cACertificateRequestDto).getStatus());
        PartnerCertificateResponseDto partnerCertificateResponseDto = new PartnerCertificateResponseDto();
        partnerCertificateResponseDto.setCertificateId(uuid);
        partnerCertificateResponseDto.setSignedCertificateData(buildP7BCertificateChain);
        partnerCertificateResponseDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return partnerCertificateResponseDto;
    }

    private void validateBasicPartnerCertParams(X509Certificate x509Certificate, String str, String str2, String str3) {
        if (this.certDBHelper.isPartnerCertificateExist(str, str3)) {
            LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner certificate already exists in Store.");
        }
        if (!PartnerCertificateManagerUtil.isCertificateDatesValid(x509Certificate)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Certificate Dates are not valid.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
        }
        if (!PartnerCertificateManagerUtil.isCertificateValidForDuration(x509Certificate, this.issuerCertDuration, this.gracePeriod)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Certificate Dates are not in allowed range.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorCode(), PartnerCertManagerErrorConstants.CERTIFICATE_DATES_NOT_VALID.getErrorMessage());
        }
        if (PartnerCertificateManagerUtil.isSelfSignedCertificate(x509Certificate)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Self Signed Certificate are not in allowed as Partner.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.SELF_SIGNED_CERT_NOT_ALLOWED.getErrorMessage());
        }
    }

    private void validateOtherPartnerCertParams(X509Certificate x509Certificate, String str) {
        if (x509Certificate.getVersion() != 3) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate version not valid, the version has to be V3");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERT_VERSION.getErrorMessage());
        }
        if (!PartnerCertificateManagerUtil.getCertificateOrgName(x509Certificate.getSubjectX500Principal()).equals(str)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate Organization and Partner Organization Name not matching.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.PARTNER_ORG_NOT_MATCH.getErrorCode(), PartnerCertManagerErrorConstants.PARTNER_ORG_NOT_MATCH.getErrorMessage());
        }
        if (x509Certificate.getPublicKey().getAlgorithm().equalsIgnoreCase("RSA") && ((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().bitLength() < 2048) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate key is less than allowed size.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_KEY_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.CERT_KEY_NOT_ALLOWED.getErrorMessage());
        }
        if (x509Certificate.getSigAlgName().toUpperCase().startsWith(PartnerCertManagerConstants.HASH_SHA2)) {
            return;
        }
        LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Signature Algorithm not supported.");
        throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.CERT_SIGNATURE_ALGO_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.CERT_SIGNATURE_ALGO_NOT_ALLOWED.getErrorMessage());
    }

    private X509Certificate reSignPartnerKey(X509Certificate x509Certificate, SignatureCertificate signatureCertificate, String str) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "KeyAlias", "Found Master Key Alias: " + signatureCertificate.getAlias());
        if (!this.cryptomanagerUtil.hasKeyAccess(this.masterSignKeyAppId)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Signing Certifiate is not allowed for the authenticated user for the provided application id.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.SIGN_CERT_NOT_ALLOWED.getErrorCode(), PartnerCertManagerErrorConstants.SIGN_CERT_NOT_ALLOWED.getErrorMessage());
        }
        PrivateKey privateKey = (PrivateKey) signatureCertificate.getCertificateEntry().getPrivateKey();
        X500Principal subjectX500Principal = ((X509Certificate[]) signatureCertificate.getCertificateEntry().getChain())[0].getSubjectX500Principal();
        X500Principal subjectX500Principal2 = x509Certificate.getSubjectX500Principal();
        PublicKey publicKey = x509Certificate.getPublicKey();
        int i = PartnerCertManagerConstants.YEAR_DAYS * this.issuerCertDuration;
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "Cert Duration", "Calculated Signed Certficiate Number of Days for expire: " + i);
        LocalDateTime uTCCurrentDateTime = DateUtils.getUTCCurrentDateTime();
        return CertificateUtility.generateX509Certificate(privateKey, publicKey, PartnerCertificateManagerUtil.getCertificateParameters(subjectX500Principal2, uTCCurrentDateTime, uTCCurrentDateTime.plus(i, (TemporalUnit) ChronoUnit.DAYS)), subjectX500Principal, this.signAlgorithm, this.keyStore.getKeystoreProviderName(), str.equalsIgnoreCase(PartnerCertManagerConstants.AUTH_DOMAIN));
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public PartnerCertDownloadResponeDto getPartnerCertificate(PartnerCertDownloadRequestDto partnerCertDownloadRequestDto) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.GET_PARTNER_CERT, "", "Get Partner Certificate Request.");
        String partnerCertId = partnerCertDownloadRequestDto.getPartnerCertId();
        if (!PartnerCertificateManagerUtil.isValidCertificateID(partnerCertId)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate ID provided to get the partner certificate.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE_ID.getErrorMessage());
        }
        PartnerCertificateStore partnerCert = this.certDBHelper.getPartnerCert(partnerCertId);
        if (Objects.isNull(partnerCert)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Partner Certificate not found for the provided ID.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.PARTNER_CERT_ID_NOT_FOUND.getErrorCode(), PartnerCertManagerErrorConstants.PARTNER_CERT_ID_NOT_FOUND.getErrorMessage());
        }
        PartnerCertDownloadResponeDto partnerCertDownloadResponeDto = new PartnerCertDownloadResponeDto();
        partnerCertDownloadResponeDto.setCertificateData(partnerCert.getSignedCertData());
        partnerCertDownloadResponeDto.setTimestamp(DateUtils.getUTCCurrentDateTime());
        return partnerCertDownloadResponeDto;
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public CertificateTrustResponeDto verifyCertificateTrust(CertificateTrustRequestDto certificateTrustRequestDto) {
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.CERT_TRUST_VALIDATION, "", "Certificate Trust Path Validation.");
        String certificateData = certificateTrustRequestDto.getCertificateData();
        if (!this.keymanagerUtil.isValidCertificateData(certificateData)) {
            LOGGER.error(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Invalid Certificate Data provided to verify partner certificate trust.");
            throw new PartnerCertManagerException(PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorCode(), PartnerCertManagerErrorConstants.INVALID_CERTIFICATE.getErrorMessage());
        }
        X509Certificate x509Certificate = (X509Certificate) this.keymanagerUtil.convertToCertificate(certificateData);
        String validateAllowedDomains = validateAllowedDomains(certificateTrustRequestDto.getPartnerDomain());
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.CERT_TRUST_VALIDATION, "", "Certificate Trust Path Validation for domain: " + validateAllowedDomains);
        boolean validateCertificatePath = validateCertificatePath(x509Certificate, validateAllowedDomains);
        CertificateTrustResponeDto certificateTrustResponeDto = new CertificateTrustResponeDto();
        certificateTrustResponeDto.setStatus(Boolean.valueOf(validateCertificatePath));
        return certificateTrustResponeDto;
    }

    @Override // io.mosip.kernel.partnercertservice.service.spi.PartnerCertificateManagerService
    public void purgeTrustStoreCache(String str) {
        purgeCache(str);
        LOGGER.info(PartnerCertManagerConstants.SESSIONID, PartnerCertManagerConstants.UPLOAD_PARTNER_CERT, "", "Trust Store Cache Purge for partner domain " + str);
    }

    private void purgeCache(String str) {
        if (this.disableTrustStoreCache) {
            return;
        }
        this.caCertTrustStore.expireAt(str, 0L);
    }
}
