package io.mosip.kernel.clientcrypto.service.impl;

import io.mosip.kernel.clientcrypto.constant.ClientCryptoErrorConstants;
import io.mosip.kernel.clientcrypto.constant.ClientCryptoManagerConstant;
import io.mosip.kernel.clientcrypto.exception.ClientCryptoException;
import io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService;
import io.mosip.kernel.core.crypto.spi.CryptoCoreSpec;
import io.mosip.kernel.core.keymanager.model.CertificateEntry;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.keymanagerservice.logger.KeymanagerLogger;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.SecretKey;
import javax.validation.constraints.NotNull;
import org.apache.commons.io.FileUtils;
import org.springframework.context.ApplicationContext;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/mosip/kernel/clientcrypto/service/impl/LocalClientCryptoServiceImpl.class */
public class LocalClientCryptoServiceImpl implements ClientCryptoService {
    private static final String ALGORITHM = "RSA";
    private static final int KEY_LENGTH = 2048;
    private static final String SIGN_ALGORITHM = "SHA256withRSA";
    private static final String PRIVATE_KEY = "reg.key";
    private static final String PUBLIC_KEY = "reg.pub";
    private static final String README = "readme.txt";
    protected static CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCore;
    private ApplicationContext applicationContext;
    private Boolean useResidentServiceModuleKey;
    private String residentServiceAppId;
    private static final Logger LOGGER = KeymanagerLogger.getLogger(LocalClientCryptoServiceImpl.class);
    private static SecureRandom secureRandom = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LocalClientCryptoServiceImpl(@NotNull CryptoCoreSpec<byte[], byte[], SecretKey, PublicKey, PrivateKey, String> cryptoCoreSpec, @NotNull ApplicationContext applicationContext, Boolean bool, String str) throws Throwable {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "Getting the instance of NON_TPM Security");
        backwardCompatibilityFix();
        if (!doesKeysExists()) {
            setupKeysDir();
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            createKeyFile(PRIVATE_KEY, generateKeyPair.getPrivate().getEncoded());
            createKeyFile(PUBLIC_KEY, generateKeyPair.getPublic().getEncoded());
            createReadMe(generateKeyPair.getPublic());
            LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "TPM NOT AVAILABLE - GENERATED NEW KEY PAIR SUCCESSFULLY.");
        }
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "Completed initializing Local Security Impl");
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "Check this file for publicKey and KeyIndex : " + getKeysDirPath() + File.separator + "readme.txt");
        cryptoCore = cryptoCoreSpec;
        this.applicationContext = applicationContext;
        this.useResidentServiceModuleKey = bool;
        this.residentServiceAppId = str;
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] signData(@NotNull byte[] bArr) throws ClientCryptoException {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initSign(getPrivateKey());
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            try {
                byte[] bArr2 = new byte[2048];
                while (true) {
                    int read = byteArrayInputStream.read(bArr2);
                    if (read == -1) {
                        byte[] sign = signature.sign();
                        byteArrayInputStream.close();
                        return sign;
                    }
                    signature.update(bArr2, 0, read);
                }
            } finally {
            }
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public boolean validateSignature(@NotNull byte[] bArr, @NotNull byte[] bArr2) throws ClientCryptoException {
        try {
            return validateSignature(getPublicKey(), bArr, bArr2);
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] asymmetricEncrypt(@NotNull byte[] bArr) throws ClientCryptoException {
        try {
            return (byte[]) cryptoCore.asymmetricEncrypt(getPublicKey(), bArr);
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] asymmetricDecrypt(@NotNull byte[] bArr) throws ClientCryptoException {
        try {
            return (byte[]) cryptoCore.asymmetricDecrypt(getPrivateKey(), bArr);
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] getSigningPublicPart() throws ClientCryptoException {
        try {
            return getPublicKey().getEncoded();
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public void closeSecurityInstance() throws ClientCryptoException {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "Nothing to do, as Local NON-TPM Security Impl is in use");
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public boolean isTPMInstance() {
        return false;
    }

    public static byte[] generateRandomBytes(int i) {
        if (secureRandom == null) {
            secureRandom = new SecureRandom();
        }
        byte[] bArr = new byte[i];
        secureRandom.nextBytes(bArr);
        return bArr;
    }

    @Override // io.mosip.kernel.clientcrypto.service.spi.ClientCryptoService
    public byte[] getEncryptionPublicPart() {
        try {
            return getPublicKey().getEncoded();
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    public static boolean validateSignature(@NotNull byte[] bArr, @NotNull byte[] bArr2, @NotNull byte[] bArr3) throws ClientCryptoException {
        try {
            return validateSignature(KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(bArr)), bArr2, bArr3);
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    public static byte[] asymmetricEncrypt(byte[] bArr, byte[] bArr2) throws ClientCryptoException {
        LOGGER.info(ClientCryptoManagerConstant.SESSIONID, ClientCryptoManagerConstant.NON_TPM, "", "LocalClientSecurity Asymmetric encrypt");
        try {
            X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(bArr);
            return (byte[]) cryptoCore.asymmetricEncrypt(KeyFactory.getInstance("RSA").generatePublic(x509EncodedKeySpec), bArr2);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    private static boolean validateSignature(PublicKey publicKey, byte[] bArr, byte[] bArr2) throws ClientCryptoException {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr2);
            try {
                byte[] bArr3 = new byte[2048];
                while (true) {
                    int read = byteArrayInputStream.read(bArr3);
                    if (read == -1) {
                        boolean verify = signature.verify(bArr);
                        byteArrayInputStream.close();
                        return verify;
                    }
                    signature.update(bArr3, 0, read);
                }
            } finally {
            }
        } catch (Exception e) {
            throw new ClientCryptoException(ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorCode(), ClientCryptoErrorConstants.CRYPTO_FAILED.getErrorMessage(), e);
        }
    }

    private void setupKeysDir() {
        new File(getKeysDirPath()).mkdirs();
    }

    private boolean doesKeysExists() {
        File file = new File(getKeysDirPath());
        return file.exists() && ((String[]) Objects.requireNonNull(file.list())).length >= 2;
    }

    private void backwardCompatibilityFix() {
        if (Paths.get(ClientCryptoManagerConstant.KEY_PATH, ClientCryptoManagerConstant.KEYS_DIR, PRIVATE_KEY).toFile().exists()) {
            LOGGER.info("Backward compatibility fix not applicable");
            return;
        }
        Path path = Paths.get(ClientCryptoManagerConstant.KEY_PATH, ClientCryptoManagerConstant.KEYS_DIR);
        File file = new File(System.getProperty("user.home") + File.separator + ".mosipkeys");
        if (!file.exists() || ((String[]) Objects.requireNonNull(file.list())).length < 2) {
            return;
        }
        try {
            FileUtils.copyDirectory(file, path.toFile());
            LOGGER.info("Successfully performed backward compatible fix. Copied {} to {}", new Object[]{file, path});
        } catch (IOException e) {
            LOGGER.error("Failed to perform backward compatible fix. Failed to copy {} to {} due to {}", new Object[]{file, path, e});
        }
    }

    private String getKeysDirPath() {
        return ClientCryptoManagerConstant.KEY_PATH + File.separator + ".mosipkeys";
    }

    private void createKeyFile(String str, byte[] bArr) throws IOException {
        FileOutputStream fileOutputStream = new FileOutputStream(getKeysDirPath() + File.separator + str);
        try {
            fileOutputStream.write(bArr);
            fileOutputStream.close();
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private PrivateKey getPrivateKey() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        if (this.useResidentServiceModuleKey.booleanValue()) {
            return (PrivateKey) getResidentCertificateEntry().getPrivateKey();
        }
        return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Files.readAllBytes(Paths.get(getKeysDirPath() + File.separator + "reg.key", new String[0]))));
    }

    private PublicKey getPublicKey() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
        if (this.useResidentServiceModuleKey.booleanValue()) {
            return ((X509Certificate[]) getResidentCertificateEntry().getChain())[0].getPublicKey();
        }
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Files.readAllBytes(Paths.get(getKeysDirPath() + File.separator + "reg.pub", new String[0]))));
    }

    private CertificateEntry<X509Certificate, PrivateKey> getResidentCertificateEntry() {
        return ((KeymanagerService) this.applicationContext.getBean(KeymanagerService.class)).getSignatureCertificate(this.residentServiceAppId, Optional.empty(), DateUtils.getUTCCurrentDateTimeString()).getCertificateEntry();
    }

    private void createReadMe(PublicKey publicKey) throws IOException {
        Files.write(Paths.get(getKeysDirPath() + File.separator + "readme.txt", new String[0]), ("MachineName: " + InetAddress.getLocalHost().getHostName().toLowerCase() + "\r\nPublicKey: " + CryptoUtil.encodeToURLSafeBase64(publicKey.getEncoded()) + "\r\nKeyIndex: " + CryptoUtil.computeFingerPrint(publicKey.getEncoded(), (String) null).toLowerCase() + "\r\nNote : Use the above public key and client/machine name to create client machine using admin API\r\nNote : If the keys are lost/deleted, keys are regenerated on next instantiation of this instance. Corresponding client mappings need to be recreated once again.\r\n").getBytes(StandardCharsets.UTF_8), StandardOpenOption.CREATE);
    }
}
