package com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.impl;

import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.constant.AccountManagementApiResponseCode;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.dao.CRPSecretDAO;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.dto.CertificateDTO;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.entity.CRPSecret;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.entity.secret.CertificateSecret;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.entity.secret.SecretContent;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.enum_type.SecretStatus;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.enum_type.SecretSubType;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.enum_type.SecretType;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.mapstruct.CertificateSecretMapper;
import com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService;
import com.gitlab.credit_reference_platform.crp.gateway.constant.ApiResponseCode;
import com.gitlab.credit_reference_platform.crp.gateway.exception.ServiceException;
import com.gitlab.credit_reference_platform.crp.gateway.http.util.HttpAuthenticationUtils;
import com.gitlab.vincenthung.commons.security.certificate.reader.CertificateDetail;
import com.gitlab.vincenthung.commons.security.certificate.reader.CertificateReaderException;
import com.gitlab.vincenthung.commons.security.keystore.factory.KeyStoreFactory;
import com.gitlab.vincenthung.commons.security.keystore.factory.KeyStoreFactoryException;
import com.gitlab.vincenthung.commons.security.util.PrivateKeyUtils;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import lombok.Generated;
import org.apache.sshd.common.channel.PtyChannelConfigurationHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.StringUtils;

@Transactional(readOnly = true)
@Service
/* loaded from: input_file:BOOT-INF/lib/crp-gateway-acctmgmt-service-2.0.1.jar:com/gitlab/credit_reference_platform/crp/gateway/acctmgmt/service/impl/CertificateSecretServiceImpl.class */
public class CertificateSecretServiceImpl implements ICertificateSecretService {

    @Autowired
    private CRPSecretDAO crpSecretDAO;
    private static final String ERROR_MSG_CERTIFICATE_INCORRECT_FORMAT = "The format of the certificate is incorrect";
    private static final String PRIVATE_KEY_TYPE = "RSA";

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertificateSecretServiceImpl.class);
    private static final SecretType SECRET_TYPE = SecretType.CERTIFICATE;

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    public List<CertificateDTO> listCertificates(SecretSubType secretSubType) {
        return CertificateSecretMapper.MAPPER.toDTOs(secretSubType != null ? this.crpSecretDAO.findBySecretTypeAndSubType(SECRET_TYPE, secretSubType) : this.crpSecretDAO.findBySecretType(SECRET_TYPE));
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    @Transactional(readOnly = false, propagation = Propagation.SUPPORTS, rollbackFor = {Throwable.class})
    public CertificateDTO createCertificate(SecretSubType secretSubType, byte[] bArr, byte[] bArr2) throws ServiceException {
        if (bArr == null) {
            throw new ServiceException(ApiResponseCode.PARAMETER_IMPERFECT, "publicCertificateIS cannot be null");
        }
        if (secretSubType == null) {
            throw new ServiceException(ApiResponseCode.PARAMETER_IMPERFECT, "certType cannot be null");
        }
        if (secretSubType.isRequiredPrivateKey() && bArr2 == null) {
            throw new ServiceException(AccountManagementApiResponseCode.PRIVATE_KEY_MISSING, "privateKey is required for this certType but null is found");
        }
        CRPSecret cRPSecret = new CRPSecret();
        cRPSecret.setSecretType(SECRET_TYPE);
        cRPSecret.setSubType(secretSubType);
        cRPSecret.setStatus(SecretStatus.INACTIVE);
        SecretContent secretContent = new SecretContent();
        CertificateSecret certificateSecret = new CertificateSecret();
        try {
            CertificateDetail certificateDetail = new CertificateDetail(bArr);
            certificateSecret.setCommonName(certificateDetail.getCommonName());
            certificateSecret.setOrgName(certificateDetail.getOrgName());
            certificateSecret.setIssuer(certificateDetail.getIssuer());
            certificateSecret.setSerialNumber(certificateDetail.getSerialNumber());
            certificateSecret.setValidFrom(certificateDetail.getValidFrom().toInstant());
            certificateSecret.setValidUntil(certificateDetail.getValidUntil().toInstant());
            certificateSecret.setEncodedCertificate(Base64.getEncoder().encodeToString(bArr));
            if (secretSubType.isRequiredPrivateKey()) {
                try {
                    KeyStoreFactory.init(null, null, null).addPrivateKeyWithCertificate((InputStream) new ByteArrayInputStream(bArr2), (InputStream) new ByteArrayInputStream(bArr), "RSA", "crp-gateway", PtyChannelConfigurationHolder.DUMMY_PTY_TYPE.toCharArray(), false);
                    certificateSecret.setEncodedPrivateKey(Base64.getEncoder().encodeToString(bArr2));
                } catch (KeyStoreFactoryException e) {
                    log.error("Failed to load the privateKey", (Throwable) e);
                    throw new ServiceException(AccountManagementApiResponseCode.PRIVATE_KEY_FORMAT_INCORRECT, "The format of the private key is incorrect, required PKCS#8", e);
                }
            }
            secretContent.setCertificate(certificateSecret);
            cRPSecret.setSecret(secretContent);
            cRPSecret.setCreatedBy(HttpAuthenticationUtils.getAuthorizedUsername());
            cRPSecret.setCreatedTime(Instant.now());
            return CertificateSecretMapper.MAPPER.toDTO((CRPSecret) this.crpSecretDAO.save(cRPSecret));
        } catch (CertificateReaderException e2) {
            log.error("Failed to read the publicCertificate during createCertificate", (Throwable) e2);
            throw new ServiceException(AccountManagementApiResponseCode.CERTIFICATE_FORMAT_INCORRECT, ERROR_MSG_CERTIFICATE_INCORRECT_FORMAT, e2);
        }
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    public CertificateDTO getCertificateById(long j) {
        Optional<CRPSecret> findById = this.crpSecretDAO.findById(Long.valueOf(j));
        if (findById.isPresent() && SECRET_TYPE.equals(findById.get().getSecretType())) {
            return CertificateSecretMapper.MAPPER.toDTO(findById.get());
        }
        return null;
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    @Transactional(readOnly = false, propagation = Propagation.REQUIRED, rollbackFor = {Throwable.class})
    public boolean updateCertificateById(long j, CertificateDTO certificateDTO) throws ServiceException {
        List<CRPSecret> findBySecretTypeAndSubTypeAndStatus;
        Optional<CRPSecret> findById = this.crpSecretDAO.findById(Long.valueOf(j));
        if (!findById.isPresent()) {
            throw new ServiceException(AccountManagementApiResponseCode.CERTIFICATE_NOT_FOUND);
        }
        CRPSecret cRPSecret = findById.get();
        boolean z = false;
        if (certificateDTO.getId() != null && !certificateDTO.getId().equals(Long.valueOf(j))) {
            throw new ServiceException(AccountManagementApiResponseCode.ID_MISMATCH_ON_UPDATE_CERTIFICATE);
        }
        if (certificateDTO.getStatus() != null && !certificateDTO.getStatus().equals(cRPSecret.getStatus())) {
            cRPSecret.setStatus(certificateDTO.getStatus());
            z = true;
            if (!SecretSubType.CRP_SERVER_CERTIFICATE.equals(cRPSecret.getSubType()) && (findBySecretTypeAndSubTypeAndStatus = this.crpSecretDAO.findBySecretTypeAndSubTypeAndStatus(SECRET_TYPE, cRPSecret.getSubType(), SecretStatus.ACTIVE)) != null && !findBySecretTypeAndSubTypeAndStatus.isEmpty()) {
                for (CRPSecret cRPSecret2 : findBySecretTypeAndSubTypeAndStatus) {
                    cRPSecret2.setStatus(SecretStatus.INACTIVE);
                    this.crpSecretDAO.save(cRPSecret2);
                }
            }
        }
        if (z) {
            this.crpSecretDAO.save(cRPSecret);
        }
        return z;
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    @Transactional(readOnly = false, propagation = Propagation.SUPPORTS, rollbackFor = {Throwable.class})
    public boolean deleteCertificateById(long j) {
        Optional<CRPSecret> findById = this.crpSecretDAO.findById(Long.valueOf(j));
        if (!findById.isPresent()) {
            return false;
        }
        CRPSecret cRPSecret = findById.get();
        if (!SECRET_TYPE.equals(findById.get().getSecretType())) {
            return false;
        }
        this.crpSecretDAO.delete(cRPSecret);
        return true;
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    public List<X509Certificate> getActiveCertificates(SecretSubType secretSubType) throws ServiceException {
        List<CRPSecret> findBySecretTypeAndSubTypeAndStatus = this.crpSecretDAO.findBySecretTypeAndSubTypeAndStatus(SECRET_TYPE, secretSubType, SecretStatus.ACTIVE);
        if (findBySecretTypeAndSubTypeAndStatus == null || findBySecretTypeAndSubTypeAndStatus.isEmpty()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (CRPSecret cRPSecret : findBySecretTypeAndSubTypeAndStatus) {
            if (cRPSecret != null && cRPSecret.getSecret() != null && cRPSecret.getSecret().getCertificate() != null) {
                String encodedCertificate = cRPSecret.getSecret().getCertificate().getEncodedCertificate();
                if (StringUtils.hasText(encodedCertificate)) {
                    try {
                        arrayList.add(new CertificateDetail(Base64.getDecoder().decode(encodedCertificate)).getCertificate());
                    } catch (CertificateReaderException e) {
                        log.error("Failed to read the publicCertificate during getActiveCertificates", (Throwable) e);
                        throw new ServiceException(AccountManagementApiResponseCode.CERTIFICATE_FORMAT_INCORRECT, ERROR_MSG_CERTIFICATE_INCORRECT_FORMAT, e);
                    }
                } else {
                    continue;
                }
            }
        }
        return arrayList;
    }

    @Override // com.gitlab.credit_reference_platform.crp.gateway.acctmgmt.service.ICertificateSecretService
    public KeyStore.PrivateKeyEntry getActivePrivateKeyEntry(SecretSubType secretSubType) throws ServiceException {
        KeyStore.PrivateKeyEntry privateKeyEntry;
        if (!secretSubType.isRequiredPrivateKey()) {
            throw new ServiceException(AccountManagementApiResponseCode.SUB_TYPE_NOT_SUPPORTED_PRIVATE_KEY, MessageFormat.format("The SecretSubType [{0}] is not supported for getting PrivateKeyEntry", secretSubType.name()));
        }
        for (CRPSecret cRPSecret : this.crpSecretDAO.findBySecretTypeAndSubTypeAndStatus(SECRET_TYPE, secretSubType, SecretStatus.ACTIVE)) {
            if (cRPSecret != null && cRPSecret.getSecret() != null && (privateKeyEntry = toPrivateKeyEntry(cRPSecret.getSecret().getCertificate())) != null) {
                return privateKeyEntry;
            }
        }
        return null;
    }

    private KeyStore.PrivateKeyEntry toPrivateKeyEntry(CertificateSecret certificateSecret) throws ServiceException {
        if (certificateSecret == null) {
            return null;
        }
        String encodedCertificate = certificateSecret.getEncodedCertificate();
        String encodedPrivateKey = certificateSecret.getEncodedPrivateKey();
        if (!StringUtils.hasText(encodedCertificate) || !StringUtils.hasText(encodedPrivateKey)) {
            return null;
        }
        try {
            try {
                return new KeyStore.PrivateKeyEntry(PrivateKeyUtils.loadPrivateKey(new ByteArrayInputStream(Base64.getDecoder().decode(encodedPrivateKey)), "RSA"), new Certificate[]{new CertificateDetail(Base64.getDecoder().decode(encodedCertificate)).getCertificate()});
            } catch (Exception e) {
                log.error("Failed to read the privateKey", (Throwable) e);
                throw new ServiceException(AccountManagementApiResponseCode.PRIVATE_KEY_FORMAT_INCORRECT, "The format of the private key is incorrect", e);
            }
        } catch (CertificateReaderException e2) {
            log.error("Failed to read the publicCertificate during getActivePrivateKeyEntry", (Throwable) e2);
            throw new ServiceException(AccountManagementApiResponseCode.CERTIFICATE_FORMAT_INCORRECT, ERROR_MSG_CERTIFICATE_INCORRECT_FORMAT, e2);
        }
    }
}
