package org.eclipse.edc.connector.transfer.dataplane;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Objects;
import java.util.UUID;
import org.eclipse.edc.connector.transfer.dataplane.security.ConsumerPullTransferKeyPair;
import org.eclipse.edc.connector.transfer.dataplane.security.PublicKeyParser;
import org.eclipse.edc.connector.transfer.dataplane.spi.security.KeyPairWrapper;
import org.eclipse.edc.runtime.metamodel.annotation.Extension;
import org.eclipse.edc.runtime.metamodel.annotation.Inject;
import org.eclipse.edc.runtime.metamodel.annotation.Provider;
import org.eclipse.edc.spi.EdcException;
import org.eclipse.edc.spi.security.PrivateKeyResolver;
import org.eclipse.edc.spi.security.Vault;
import org.eclipse.edc.spi.system.ServiceExtension;
import org.eclipse.edc.spi.system.ServiceExtensionContext;
import org.jetbrains.annotations.NotNull;

@Extension(ConsumerPullTransferProxyResolverExtension.NAME)
/* loaded from: input_file:org/eclipse/edc/connector/transfer/dataplane/ConsumerPullTransferKeyPairExtension.class */
public class ConsumerPullTransferKeyPairExtension implements ServiceExtension {
    public static final String NAME = "Consumer Pull Transfer Key Pair";

    @Inject(required = false)
    private PrivateKeyResolver privateKeyResolver;

    @Inject(required = false)
    private Vault vault;

    public String name() {
        return NAME;
    }

    @Provider
    public KeyPairWrapper keyPairWrapper(ServiceExtensionContext serviceExtensionContext) {
        String setting = serviceExtensionContext.getSetting(TransferDataPlaneConfig.TOKEN_VERIFIER_PUBLIC_KEY_ALIAS, (String) null);
        String setting2 = serviceExtensionContext.getSetting(TransferDataPlaneConfig.TOKEN_SIGNER_PRIVATE_KEY_ALIAS, (String) null);
        if (setting == null && setting2 == null) {
            serviceExtensionContext.getMonitor().info(() -> {
                return "Either private (n)or public key alias not provided for 'consumer pull' transfer, a random key pair will be generated";
            }, new Throwable[0]);
            return new ConsumerPullTransferKeyPair(randomKeyPair());
        }
        Objects.requireNonNull(this.privateKeyResolver, "private key resolver");
        Objects.requireNonNull(this.vault, "vault");
        Objects.requireNonNull(setting, "public key alias");
        Objects.requireNonNull(setting2, "private key alias");
        return new ConsumerPullTransferKeyPair(new KeyPair(getPublicKey(setting), getPrivateKey(setting2)));
    }

    @NotNull
    private PublicKey getPublicKey(String str) {
        String resolveSecret = this.vault.resolveSecret(str);
        Objects.requireNonNull(resolveSecret, "Failed to resolve public key with alias: " + str + " from vault");
        return PublicKeyParser.from(resolveSecret);
    }

    @NotNull
    private PrivateKey getPrivateKey(String str) {
        PrivateKey privateKey = (PrivateKey) this.privateKeyResolver.resolvePrivateKey(str, PrivateKey.class);
        Objects.requireNonNull(privateKey, "Failed to resolve private key with alias: " + str);
        return privateKey;
    }

    private static KeyPair randomKeyPair() {
        try {
            return new ECKeyGenerator(Curve.P_256).keyUse(KeyUse.SIGNATURE).keyID(UUID.randomUUID().toString()).generate().toKeyPair();
        } catch (JOSEException e) {
            throw new EdcException(e);
        }
    }
}
