package io.jans.ca.server.service;

import com.google.common.collect.Lists;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.AuthCryptoProvider;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.util.Util;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.common.ExpiredObject;
import io.jans.ca.common.ExpiredObjectType;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.configuration.ApiAppConfiguration;
import io.jans.ca.server.persistence.service.MainPersistenceService;
import io.jans.ca.server.persistence.service.PersistenceServiceImpl;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.List;
import org.json.JSONObject;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/jans/ca/server/service/KeyGeneratorService.class */
public class KeyGeneratorService {

    @Inject
    Logger logger;

    @Inject
    PersistenceServiceImpl persistenceService;

    @Inject
    MainPersistenceService jansConfigurationService;
    private JSONWebKeySet keys;

    public AbstractCryptoProvider getCryptoProvider() throws KeyStoreException {
        ApiAppConfiguration configuration = getConfiguration();
        try {
            return new AuthCryptoProvider(configuration.getCryptProviderKeyStorePath(), configuration.getCryptProviderKeyStorePassword(), configuration.getCryptProviderDnName());
        } catch (KeyStoreException e) {
            this.logger.error("Failed to create CryptoProvider.");
            throw e;
        }
    }

    private ApiAppConfiguration getConfiguration() {
        return this.jansConfigurationService.find();
    }

    public void generateKeys() throws KeyStoreException {
        ArrayList newArrayList = Lists.newArrayList(new Algorithm[]{Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.PS256, Algorithm.PS384, Algorithm.PS512});
        ArrayList newArrayList2 = Lists.newArrayList(new Algorithm[]{Algorithm.RSA1_5, Algorithm.RSA_OAEP});
        ApiAppConfiguration configuration = getConfiguration();
        try {
            if (configuration.getEnableJwksGeneration().booleanValue()) {
                JSONWebKeySet generateKeys = generateKeys(newArrayList, newArrayList2, configuration.getJwksExpirationInHours());
                saveKeysInStorage(generateKeys.toString());
                setKeys(generateKeys);
            }
        } catch (KeyStoreException e) {
            this.logger.error("Failed to generate json web keys.");
            throw e;
        }
    }

    private JSONWebKeySet generateKeys(List<Algorithm> list, List<Algorithm> list2, int i) throws KeyStoreException {
        this.logger.trace("Generating jwks keys...");
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        gregorianCalendar.add(10, i);
        AbstractCryptoProvider cryptoProvider = getCryptoProvider();
        Iterator<Algorithm> it = list.iterator();
        while (it.hasNext()) {
            try {
                jSONWebKeySet.getKeys().add(JSONWebKey.fromJSONObject(cryptoProvider.generateKey(it.next(), Long.valueOf(gregorianCalendar.getTimeInMillis()))));
            } catch (Exception e) {
                this.logger.error(e.getMessage(), e);
            }
        }
        Iterator<Algorithm> it2 = list2.iterator();
        while (it2.hasNext()) {
            try {
                jSONWebKeySet.getKeys().add(JSONWebKey.fromJSONObject(cryptoProvider.generateKey(it2.next(), Long.valueOf(gregorianCalendar.getTimeInMillis()))));
            } catch (Exception e2) {
                this.logger.error(e2.getMessage(), e2);
            }
        }
        this.logger.trace("jwks generated successfully.");
        return jSONWebKeySet;
    }

    public Jwt sign(Jwt jwt, String str, SignatureAlgorithm signatureAlgorithm) throws CryptoProviderException, KeyStoreException, InvalidJwtException {
        try {
            jwt.setEncodedSignature(getCryptoProvider().sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), str, signatureAlgorithm));
            return jwt;
        } catch (CryptoProviderException | KeyStoreException | InvalidJwtException e) {
            this.logger.error("Failed to sign signingInput.");
            throw e;
        }
    }

    public JSONWebKeySet getKeys() throws KeyStoreException {
        if (!getConfiguration().getEnableJwksGeneration().booleanValue()) {
            this.logger.info("Relying party JWKS generation is disabled in running jans_client_api instance. To enable it set `enableJwksGeneration` field to true in ApiAppConfiguration.");
            throw new HttpException(ErrorResponseCode.JWKS_GENERATION_DISABLE);
        }
        this.logger.info("Keys found: {}", this.keys);
        if (this.keys != null && !this.keys.getKeys().isEmpty()) {
            return this.keys;
        }
        JSONWebKeySet keysFromStorage = getKeysFromStorage();
        if (keysFromStorage == null || keysFromStorage.getKeys().isEmpty()) {
            generateKeys();
            return this.keys;
        }
        this.keys = keysFromStorage;
        return this.keys;
    }

    public void setKeys(JSONWebKeySet jSONWebKeySet) {
        this.keys = jSONWebKeySet;
    }

    public String getKeyId(Algorithm algorithm, Use use) {
        try {
            AbstractCryptoProvider cryptoProvider = getCryptoProvider();
            String keyId = cryptoProvider.getKeyId(getKeys(), algorithm, use);
            return !cryptoProvider.getKeys().contains(keyId) ? cryptoProvider.getKeyId(getKeys(), algorithm, use) : keyId;
        } catch (CryptoProviderException e) {
            this.logger.error("Error in keyId generation", e);
            return null;
        } catch (KeyStoreException e2) {
            this.logger.error("Error in keystore", e2);
            return null;
        }
    }

    public void saveKeysInStorage(String str) {
        this.persistenceService.createExpiredObject(new ExpiredObject(ExpiredObjectType.JWKS.getValue(), str, ExpiredObjectType.JWKS, getConfiguration().getJwksExpirationInHours() * 60));
    }

    public JSONWebKeySet getKeysFromStorage() {
        ExpiredObject expiredObject = this.persistenceService.getExpiredObject(ExpiredObjectType.JWKS.getValue());
        this.logger.info("Expired Object found from Storage: {}", expiredObject);
        if (expiredObject == null || Util.isNullOrEmpty(expiredObject.getValue())) {
            return null;
        }
        JSONWebKeySet fromJSONObject = JSONWebKeySet.fromJSONObject(new JSONObject(expiredObject.getValue()));
        try {
            if (!hasKeysExpired(expiredObject)) {
                return fromJSONObject;
            }
            this.logger.trace("The keys in storage got expired. Deleting the expired keys from storage.");
            deleteKeysFromStorage();
            return null;
        } catch (Exception e) {
            this.logger.error("Error in reading expiry date or deleting expired keys from storage. Trying to delete the keys from storage.", e);
            deleteKeysFromStorage();
            return null;
        }
    }

    public void deleteKeysFromStorage() {
        this.persistenceService.deleteExpiredObjectsByKey(ExpiredObjectType.JWKS.getValue());
    }

    public boolean hasKeysExpired(ExpiredObject expiredObject) {
        return (expiredObject.getExp().getTime() - new Date().getTime()) / 60000 <= 0;
    }
}
