package io.mosip.authentication.common.service.transaction.manager;

import io.mosip.authentication.common.service.repository.DataEncryptKeystoreRepository;
import io.mosip.authentication.common.service.repository.UinHashSaltRepo;
import io.mosip.authentication.core.constant.IdAuthenticationErrorConstants;
import io.mosip.authentication.core.exception.IdAuthUncheckedException;
import io.mosip.authentication.core.exception.IdAuthenticationBusinessException;
import io.mosip.authentication.core.logger.IdaLogger;
import io.mosip.kernel.core.exception.ExceptionUtils;
import io.mosip.kernel.core.keymanager.spi.KeyStore;
import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.core.util.CryptoUtil;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.core.util.HMACUtils;
import io.mosip.kernel.cryptomanager.dto.CryptomanagerRequestDto;
import io.mosip.kernel.cryptomanager.service.CryptomanagerService;
import io.mosip.kernel.keymanagerservice.constant.KeymanagerErrorConstant;
import io.mosip.kernel.keymanagerservice.dto.SignatureRequestDto;
import io.mosip.kernel.keymanagerservice.entity.KeyAlias;
import io.mosip.kernel.keymanagerservice.exception.NoUniqueAliasException;
import io.mosip.kernel.keymanagerservice.repository.KeyAliasRepository;
import io.mosip.kernel.keymanagerservice.service.KeymanagerService;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.LocalDateTime;
import java.time.chrono.ChronoLocalDateTime;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.ThreadLocalRandom;
import java.util.stream.Collectors;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/mosip/authentication/common/service/transaction/manager/IdAuthSecurityManager.class */
public class IdAuthSecurityManager {

    @Value("${mosip.kernel.keymanager.softhsm.config-path}")
    private String configPath;

    @Value("${mosip.kernel.crypto.symmetric-algorithm-name}")
    private String aesGCMTransformation;

    @Value("${application.id}")
    private String applicationId;

    @Value("${identity-cache.reference.id}")
    private String referenceId;
    private static final String ENCRYPT_DECRYPT_DATA = "encryptDecryptData";
    private static final String ID_AUTH_TRANSACTION_MANAGER = "IdAuthSecurityManager";
    private static final String HASH_ALGO = "SHA-256";
    private static final int GCM_NONCE_LENGTH = 12;
    private static final int GCM_AAD_LENGTH = 32;
    private static final String WRAPPING_TRANSFORMATION = "AES/ECB/NoPadding";
    private static final int GCM_TAG_LENGTH = 16;
    private static final int INT_BYTES_LEN = 4;
    private Logger mosipLogger = IdaLogger.getLogger(IdAuthSecurityManager.class);

    @Autowired
    private Environment env;

    @Autowired
    private CryptomanagerService cryptomanagerService;

    @Autowired
    private KeymanagerService keyManager;

    @Value("${mosip.sign.applicationid:KERNEL}")
    private String signApplicationid;

    @Value("${mosip.sign.refid:SIGN}")
    private String signRefid;

    @Autowired
    private UinHashSaltRepo uinHashSaltRepo;

    @Autowired
    private DataEncryptKeystoreRepository repo;

    @Autowired
    private KeyAliasRepository keyAliasRepository;

    @Autowired
    private KeyStore keystore;

    public String getUser() {
        return this.env.getProperty("mosip.ida.auth.clientId");
    }

    public byte[] encrypt(String str, String str2, String str3, String str4) throws IdAuthenticationBusinessException {
        try {
            CryptomanagerRequestDto cryptomanagerRequestDto = new CryptomanagerRequestDto();
            cryptomanagerRequestDto.setApplicationId(this.env.getProperty("application.id"));
            cryptomanagerRequestDto.setTimeStamp(DateUtils.getUTCCurrentDateTime());
            cryptomanagerRequestDto.setData(str);
            cryptomanagerRequestDto.setReferenceId(str2);
            cryptomanagerRequestDto.setAad(str3);
            cryptomanagerRequestDto.setSalt(str4);
            return CryptoUtil.decodeBase64(this.cryptomanagerService.encrypt(cryptomanagerRequestDto).getData());
        } catch (NoUniqueAliasException e) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e));
            throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.PUBLICKEY_EXPIRED, e);
        } catch (Exception e2) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e2));
            throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.FAILED_TO_ENCRYPT, e2);
        }
    }

    public byte[] encryptWithAES(String str, byte[] bArr) {
        try {
            int randomKeyIndex = getRandomKeyIndex();
            Key derivedKey = getDerivedKey(str, getDecryptedKey(this.repo.findKeyById(Integer.valueOf(randomKeyIndex))));
            SecureRandom secureRandom = new SecureRandom();
            byte[] bArr2 = new byte[GCM_NONCE_LENGTH];
            byte[] bArr3 = new byte[GCM_AAD_LENGTH];
            secureRandom.nextBytes(bArr2);
            secureRandom.nextBytes(bArr3);
            byte[] doCipherOps = doCipherOps(derivedKey, bArr, 1, bArr2, bArr3);
            byte[] indexBytes = getIndexBytes(randomKeyIndex);
            byte[] bArr4 = new byte[doCipherOps.length + indexBytes.length + GCM_AAD_LENGTH + GCM_NONCE_LENGTH];
            System.arraycopy(indexBytes, 0, bArr4, 0, indexBytes.length);
            System.arraycopy(bArr2, 0, bArr4, indexBytes.length, bArr2.length);
            System.arraycopy(bArr3, 0, bArr4, indexBytes.length + bArr2.length, bArr3.length);
            System.arraycopy(doCipherOps, 0, bArr4, indexBytes.length + bArr2.length + bArr3.length, doCipherOps.length);
            return Base64.getEncoder().encode(bArr4);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e));
            throw new IdAuthUncheckedException(IdAuthenticationErrorConstants.FAILED_TO_ENCRYPT, e);
        }
    }

    private int getRandomKeyIndex() {
        List<Integer> idsByKeyStatus = this.repo.getIdsByKeyStatus("active");
        return idsByKeyStatus.get(ThreadLocalRandom.current().nextInt(0, idsByKeyStatus.size() + 1)).intValue();
    }

    public byte[] decrypt(String str, String str2, String str3, String str4) throws IdAuthenticationBusinessException {
        try {
            CryptomanagerRequestDto cryptomanagerRequestDto = new CryptomanagerRequestDto();
            cryptomanagerRequestDto.setApplicationId(this.env.getProperty("application.id"));
            cryptomanagerRequestDto.setTimeStamp(DateUtils.getUTCCurrentDateTime());
            cryptomanagerRequestDto.setData(str);
            cryptomanagerRequestDto.setReferenceId(str2);
            cryptomanagerRequestDto.setAad(str3);
            cryptomanagerRequestDto.setSalt(str4);
            return CryptoUtil.decodeBase64(this.cryptomanagerService.decrypt(cryptomanagerRequestDto).getData());
        } catch (NoUniqueAliasException e) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e));
            throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.PUBLICKEY_EXPIRED, e);
        } catch (Exception e2) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e2));
            throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.INVALID_ENCRYPTION, e2);
        }
    }

    public byte[] decryptWithAES(String str, byte[] bArr) throws IdAuthenticationBusinessException {
        try {
            byte[] decode = Base64.getDecoder().decode(bArr);
            byte[] copyOfRange = Arrays.copyOfRange(decode, 0, INT_BYTES_LEN);
            byte[] copyOfRange2 = Arrays.copyOfRange(decode, INT_BYTES_LEN, GCM_TAG_LENGTH);
            byte[] copyOfRange3 = Arrays.copyOfRange(decode, GCM_TAG_LENGTH, 48);
            return doCipherOps(getDerivedKey(str, getDecryptedKey(this.repo.findKeyById(Integer.valueOf(getIndexInt(copyOfRange))))), Arrays.copyOfRange(decode, 48, decode.length), 2, copyOfRange2, copyOfRange3);
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, ExceptionUtils.getStackTrace(e));
            throw new IdAuthenticationBusinessException(IdAuthenticationErrorConstants.FAILED_TO_ENCRYPT, e);
        }
    }

    private int getIndexInt(byte[] bArr) {
        return ByteBuffer.wrap(bArr).getInt();
    }

    public String sign(String str) {
        return this.keyManager.sign(new SignatureRequestDto(this.signApplicationid, this.signRefid, DateUtils.getUTCCurrentDateTimeString(), str)).getData();
    }

    public String hash(String str) {
        return HMACUtils.digestAsPlainTextWithSalt(str.getBytes(), this.uinHashSaltRepo.retrieveSaltById(Long.valueOf(Long.parseLong(str) % ((Integer) this.env.getProperty("ida.uin.salt.modulo", Integer.class)).intValue())).getBytes());
    }

    private Key getDecryptedKey(String str) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance(WRAPPING_TRANSFORMATION);
        byte[] decode = Base64.getDecoder().decode(str);
        cipher.init(2, getMasterKeyFromHSM());
        byte[] doFinal = cipher.doFinal(decode, 0, decode.length);
        return new SecretKeySpec(doFinal, 0, doFinal.length, "AES");
    }

    private Key getDerivedKey(String str, Key key) throws NoSuchAlgorithmException {
        byte[] bytes = str.getBytes();
        byte[] encoded = key.getEncoded();
        MessageDigest messageDigest = MessageDigest.getInstance(HASH_ALGO);
        messageDigest.update(bytes, 0, bytes.length);
        messageDigest.update(encoded, 0, encoded.length);
        byte[] digest = messageDigest.digest();
        return new SecretKeySpec(digest, 0, digest.length, "AES");
    }

    private Key getMasterKeyFromHSM() {
        String keyAlias = getKeyAlias();
        if (Objects.nonNull(keyAlias)) {
            return this.keystore.getSymmetricKey(keyAlias);
        }
        this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, "getMasterKeyFromHSM", "No Key Alias found.");
        throw new IdAuthUncheckedException(IdAuthenticationErrorConstants.FAILED_TO_FETCH_KEY);
    }

    private String getKeyAlias() {
        List list = (List) ((List) this.keyAliasRepository.findByApplicationIdAndReferenceId(this.applicationId, this.referenceId).stream().sorted((keyAlias, keyAlias2) -> {
            return keyAlias.getKeyGenerationTime().compareTo((ChronoLocalDateTime<?>) keyAlias2.getKeyGenerationTime());
        }).collect(Collectors.toList())).stream().filter(keyAlias3 -> {
            return isValidTimestamp(DateUtils.getUTCCurrentDateTime(), keyAlias3);
        }).collect(Collectors.toList());
        if (list.isEmpty() || list.size() != 1) {
            this.mosipLogger.error(getUser(), ID_AUTH_TRANSACTION_MANAGER, ENCRYPT_DECRYPT_DATA, "CurrentKeyAlias is not unique. KeyAlias count: " + list.size());
            throw new NoUniqueAliasException(KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorCode(), KeymanagerErrorConstant.NO_UNIQUE_ALIAS.getErrorMessage());
        }
        this.mosipLogger.info(getUser(), ID_AUTH_TRANSACTION_MANAGER, "getKeyAlias", "CurrentKeyAlias size is one. Will decrypt symmetric key for this alias");
        return ((KeyAlias) list.get(0)).getAlias();
    }

    private boolean isValidTimestamp(LocalDateTime localDateTime, KeyAlias keyAlias) {
        return localDateTime.isEqual(keyAlias.getKeyGenerationTime()) || localDateTime.isEqual(keyAlias.getKeyExpiryTime()) || (localDateTime.isAfter(keyAlias.getKeyGenerationTime()) && localDateTime.isBefore(keyAlias.getKeyExpiryTime()));
    }

    private byte[] doCipherOps(Key key, byte[] bArr, int i, byte[] bArr2, byte[] bArr3) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance(this.aesGCMTransformation);
        cipher.init(i, key, new GCMParameterSpec(128, bArr2));
        cipher.updateAAD(bArr3);
        return cipher.doFinal(bArr, 0, bArr.length);
    }

    private byte[] getIndexBytes(int i) {
        ByteBuffer allocate = ByteBuffer.allocate(INT_BYTES_LEN);
        allocate.putInt(i);
        return allocate.array();
    }
}
