package net.corda.crypto;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Unit;
import kotlin.jvm.internal.Intrinsics;
import net.corda.crypto.internal.WrappingKey;
import net.corda.v5.base.util.KotlinUtilsKt;
import net.corda.v5.crypto.exceptions.CryptoServiceException;
import net.corda.v5.crypto.internal.Crypto;
import net.corda.v5.crypto.internal.CryptoUtilsInternal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.asn1.x509.ReasonFlags;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: CryptoLibraryExtensions.kt */
@Metadata(mv = {1, 4, 1}, bv = {1, 0, 3}, k = 2, d1 = {"��z\n��\n\u0002\u0010\b\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\u001a$\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\b\u0010\t\u001a\u0004\u0018\u00010\n2\b\u0010\u000b\u001a\u0004\u0018\u00010\fH\u0002\u001ah\u0010\r\u001a\u00020\b2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u00112\u0006\u0010\u0015\u001a\u00020\u00132\u0012\u0010\u0016\u001a\u000e\u0012\u0004\u0012\u00020\u0017\u0012\u0004\u0012\u00020\u00170\u00032\n\b\u0002\u0010\u0018\u001a\u0004\u0018\u00010\u00192\n\b\u0002\u0010\t\u001a\u0004\u0018\u00010\n2\n\b\u0002\u0010\u000b\u001a\u0004\u0018\u00010\fH\u0002\u001a\b\u0010\u001a\u001a\u00020\u001bH\u0002\u001a0\u0010\u001c\u001a\u000e\u0012\u0004\u0012\u00020\u0017\u0012\u0004\u0012\u00020\u00170\u00032\u0006\u0010\u001d\u001a\u00020\u00042\u0006\u0010\u001e\u001a\u00020\u00042\n\b\u0002\u0010\u001f\u001a\u0004\u0018\u00010 H\u0002\u001a\u001a\u0010!\u001a\u00020\u00172\u0006\u0010\"\u001a\u00020#2\b\u0010$\u001a\u0004\u0018\u00010\u0017H\u0002\u001a\u001a\u0010%\u001a\u00020\u00172\u0006\u0010\"\u001a\u00020#2\b\u0010$\u001a\u0004\u0018\u00010\u0017H\u0002\u001al\u0010&\u001a\u00020 *\u00020'2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010(\u001a\u00020 2\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u00112\u0006\u0010\u0015\u001a\u00020\u00132\u0014\b\u0002\u0010\u0016\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040\u00032\n\b\u0002\u0010\u0018\u001a\u0004\u0018\u00010\u00192\n\b\u0002\u0010\t\u001a\u0004\u0018\u00010\n2\n\b\u0002\u0010\u000b\u001a\u0004\u0018\u00010\f\u001al\u0010&\u001a\u00020 *\u00020'2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u00112\u0006\u0010\u0015\u001a\u00020\u00132\u0012\u0010\u0016\u001a\u000e\u0012\u0004\u0012\u00020\u0017\u0012\u0004\u0012\u00020\u00170\u00032\n\b\u0002\u0010\u0018\u001a\u0004\u0018\u00010\u00192\n\b\u0002\u0010\t\u001a\u0004\u0018\u00010\n2\n\b\u0002\u0010\u000b\u001a\u0004\u0018\u00010\fH\u0002\u001a0\u0010)\u001a\u00020 *\u00020'2\u0006\u0010\u0014\u001a\u00020\u00112\u0006\u0010*\u001a\u00020\u00132\u0014\b\u0002\u0010\u0016\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040\u0003\u001a\u0012\u0010+\u001a\u00020,*\u00020'2\u0006\u0010*\u001a\u00020\u0013\u001a\u0012\u0010+\u001a\u00020,*\u00020'2\u0006\u0010-\u001a\u00020\n\u001a\f\u0010.\u001a\u00020 *\u00020/H\u0002\"\u000e\u0010��\u001a\u00020\u0001X\u0082T¢\u0006\u0002\n��\"\u001a\u0010\u0002\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u00060"}, d2 = {"CERTIFICATE_SERIAL_NUMBER_LENGTH", "", "DEFAULT_VALIDITY_WINDOW", "Lkotlin/Pair;", "Ljava/time/Duration;", "addCrlInfo", "", "builder", "Lorg/bouncycastle/cert/X509v3CertificateBuilder;", "crlDistPoint", "", "crlIssuer", "Lorg/bouncycastle/asn1/x500/X500Name;", "createPartialCertificate", "certificateType", "Lnet/corda/crypto/CertificateType;", "issuer", "Ljavax/security/auth/x500/X500Principal;", "issuerPublicKey", "Ljava/security/PublicKey;", "subject", "subjectPublicKey", "validityWindow", "Ljava/util/Date;", "nameConstraints", "Lorg/bouncycastle/asn1/x509/NameConstraints;", "generateCertificateSerialNumber", "Ljava/math/BigInteger;", "getCertificateValidityWindow", "before", "after", "parent", "Ljava/security/cert/X509Certificate;", "max", "first", "Ljava/time/Instant;", "second", "min", "createCertificate", "Lnet/corda/crypto/SigningService;", "issuerCertificate", "createSelfSignedCACertificate", "publicKey", "getSigner", "Lorg/bouncycastle/operator/ContentSigner;", "alias", "toJca", "Lorg/bouncycastle/cert/X509CertificateHolder;", "crypto-impl"})
/* loaded from: input_file:net/corda/crypto/CryptoLibraryExtensionsKt.class */
public final class CryptoLibraryExtensionsKt {
    private static final int CERTIFICATE_SERIAL_NUMBER_LENGTH = 16;
    private static final Pair<Duration, Duration> DEFAULT_VALIDITY_WINDOW = new Pair<>(KotlinUtilsKt.getMillis(0), KotlinUtilsKt.getDays(3650));

    @NotNull
    public static final ContentSigner getSigner(@NotNull final SigningService signingService, @NotNull final String str) {
        Intrinsics.checkNotNullParameter(signingService, "$this$getSigner");
        Intrinsics.checkNotNullParameter(str, "alias");
        return new ContentSigner(str) { // from class: net.corda.crypto.CryptoLibraryExtensionsKt$getSigner$1
            private final PublicKey publicKey;
            private final AlgorithmIdentifier sigAlgID;
            private final ByteArrayOutputStream baos;
            final /* synthetic */ String $alias;

            @NotNull
            public AlgorithmIdentifier getAlgorithmIdentifier() {
                return this.sigAlgID;
            }

            @NotNull
            public OutputStream getOutputStream() {
                return this.baos;
            }

            @NotNull
            public byte[] getSignature() {
                SigningService signingService2 = SigningService.this;
                String str2 = this.$alias;
                byte[] byteArray = this.baos.toByteArray();
                Intrinsics.checkNotNullExpressionValue(byteArray, "baos.toByteArray()");
                return SigningService.sign$default(signingService2, str2, byteArray, null, 4, null);
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            {
                this.$alias = str;
                PublicKey findPublicKey = SigningService.this.findPublicKey(str);
                if (findPublicKey == null) {
                    throw new CryptoServiceException("No key found for alias " + str, false);
                }
                this.publicKey = findPublicKey;
                this.sigAlgID = Crypto.findSignatureScheme(this.publicKey).getSignatureOID();
                this.baos = new ByteArrayOutputStream();
            }
        };
    }

    @NotNull
    public static final ContentSigner getSigner(@NotNull final SigningService signingService, @NotNull final PublicKey publicKey) {
        Intrinsics.checkNotNullParameter(signingService, "$this$getSigner");
        Intrinsics.checkNotNullParameter(publicKey, "publicKey");
        return new ContentSigner(publicKey) { // from class: net.corda.crypto.CryptoLibraryExtensionsKt$getSigner$2
            private final AlgorithmIdentifier sigAlgID;
            private final ByteArrayOutputStream baos = new ByteArrayOutputStream();
            final /* synthetic */ PublicKey $publicKey;

            @NotNull
            public AlgorithmIdentifier getAlgorithmIdentifier() {
                return this.sigAlgID;
            }

            @NotNull
            public OutputStream getOutputStream() {
                return this.baos;
            }

            @NotNull
            public byte[] getSignature() {
                SigningService signingService2 = SigningService.this;
                PublicKey publicKey2 = this.$publicKey;
                byte[] byteArray = this.baos.toByteArray();
                Intrinsics.checkNotNullExpressionValue(byteArray, "baos.toByteArray()");
                return signingService2.sign(publicKey2, byteArray).getBytes();
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            {
                this.$publicKey = publicKey;
                this.sigAlgID = Crypto.findSignatureScheme(publicKey).getSignatureOID();
            }
        };
    }

    @NotNull
    public static final X509Certificate createSelfSignedCACertificate(@NotNull SigningService signingService, @NotNull X500Principal x500Principal, @NotNull PublicKey publicKey, @NotNull Pair<Duration, Duration> pair) {
        Intrinsics.checkNotNullParameter(signingService, "$this$createSelfSignedCACertificate");
        Intrinsics.checkNotNullParameter(x500Principal, "subject");
        Intrinsics.checkNotNullParameter(publicKey, "publicKey");
        Intrinsics.checkNotNullParameter(pair, "validityWindow");
        return createCertificate$default(signingService, CertificateType.ROOT_CA, x500Principal, publicKey, x500Principal, publicKey, getCertificateValidityWindow$default((Duration) pair.getFirst(), (Duration) pair.getSecond(), null, 4, null), (NameConstraints) null, (String) null, (X500Name) null, 448, (Object) null);
    }

    public static /* synthetic */ X509Certificate createSelfSignedCACertificate$default(SigningService signingService, X500Principal x500Principal, PublicKey publicKey, Pair pair, int i, Object obj) {
        if ((i & 4) != 0) {
            pair = DEFAULT_VALIDITY_WINDOW;
        }
        return createSelfSignedCACertificate(signingService, x500Principal, publicKey, pair);
    }

    @NotNull
    public static final X509Certificate createCertificate(@NotNull SigningService signingService, @NotNull CertificateType certificateType, @NotNull X509Certificate x509Certificate, @NotNull PublicKey publicKey, @NotNull X500Principal x500Principal, @NotNull PublicKey publicKey2, @NotNull Pair<Duration, Duration> pair, @Nullable NameConstraints nameConstraints, @Nullable String str, @Nullable X500Name x500Name) {
        Intrinsics.checkNotNullParameter(signingService, "$this$createCertificate");
        Intrinsics.checkNotNullParameter(certificateType, "certificateType");
        Intrinsics.checkNotNullParameter(x509Certificate, "issuerCertificate");
        Intrinsics.checkNotNullParameter(publicKey, "issuerPublicKey");
        Intrinsics.checkNotNullParameter(x500Principal, "subject");
        Intrinsics.checkNotNullParameter(publicKey2, "subjectPublicKey");
        Intrinsics.checkNotNullParameter(pair, "validityWindow");
        Pair<Date, Date> certificateValidityWindow = getCertificateValidityWindow((Duration) pair.getFirst(), (Duration) pair.getSecond(), x509Certificate);
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        Intrinsics.checkNotNullExpressionValue(subjectX500Principal, "issuerCertificate.subjectX500Principal");
        return createCertificate(signingService, certificateType, subjectX500Principal, publicKey, x500Principal, publicKey2, certificateValidityWindow, nameConstraints, str, x500Name);
    }

    public static /* synthetic */ X509Certificate createCertificate$default(SigningService signingService, CertificateType certificateType, X509Certificate x509Certificate, PublicKey publicKey, X500Principal x500Principal, PublicKey publicKey2, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 32) != 0) {
            pair = DEFAULT_VALIDITY_WINDOW;
        }
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & WrappingKey.AES_KEY_LENGTH) != 0) {
            x500Name = (X500Name) null;
        }
        return createCertificate(signingService, certificateType, x509Certificate, publicKey, x500Principal, publicKey2, (Pair<Duration, Duration>) pair, nameConstraints, str, x500Name);
    }

    private static final X509Certificate createCertificate(SigningService signingService, CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, X500Principal x500Principal2, PublicKey publicKey2, Pair<? extends Date, ? extends Date> pair, NameConstraints nameConstraints, String str, X500Name x500Name) {
        X509CertificateHolder build = createPartialCertificate(certificateType, x500Principal, publicKey, x500Principal2, publicKey2, pair, nameConstraints, str, x500Name).build(getSigner(signingService, publicKey));
        if (!build.isValidOn(new Date())) {
            throw new IllegalArgumentException("Certificate is not valid at instant now".toString());
        }
        if (build.isSignatureValid(new JcaContentVerifierProviderBuilder().build(publicKey))) {
            return toJca(build);
        }
        throw new IllegalArgumentException("Invalid signature".toString());
    }

    static /* synthetic */ X509Certificate createCertificate$default(SigningService signingService, CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, X500Principal x500Principal2, PublicKey publicKey2, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & WrappingKey.AES_KEY_LENGTH) != 0) {
            x500Name = (X500Name) null;
        }
        return createCertificate(signingService, certificateType, x500Principal, publicKey, x500Principal2, publicKey2, (Pair<? extends Date, ? extends Date>) pair, nameConstraints, str, x500Name);
    }

    private static final X509v3CertificateBuilder createPartialCertificate(CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, X500Principal x500Principal2, PublicKey publicKey2, Pair<? extends Date, ? extends Date> pair, NameConstraints nameConstraints, String str, X500Name x500Name) {
        BigInteger generateCertificateSerialNumber = generateCertificateSerialNumber();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (ASN1Encodable aSN1Encodable : certificateType.getPurposes()) {
            aSN1EncodableVector.add(aSN1Encodable);
        }
        Unit unit = Unit.INSTANCE;
        X509v3CertificateBuilder addExtension = new JcaX509v3CertificateBuilder(x500Principal, generateCertificateSerialNumber, (Date) pair.getFirst(), (Date) pair.getSecond(), x500Principal2, publicKey2).addExtension(Extension.subjectKeyIdentifier, false, new BcX509ExtensionUtils().createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(publicKey2.getEncoded())))).addExtension(Extension.basicConstraints, true, new BasicConstraints(certificateType.isCA())).addExtension(Extension.keyUsage, false, certificateType.getKeyUsage()).addExtension(Extension.extendedKeyUsage, false, new DERSequence(aSN1EncodableVector)).addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(publicKey));
        Intrinsics.checkNotNullExpressionValue(addExtension, "builder");
        addCrlInfo(addExtension, str, x500Name);
        if (nameConstraints != null) {
            addExtension.addExtension(Extension.nameConstraints, true, (ASN1Encodable) nameConstraints);
        }
        return addExtension;
    }

    static /* synthetic */ X509v3CertificateBuilder createPartialCertificate$default(CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, X500Principal x500Principal2, PublicKey publicKey2, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & WrappingKey.AES_KEY_LENGTH) != 0) {
            x500Name = (X500Name) null;
        }
        return createPartialCertificate(certificateType, x500Principal, publicKey, x500Principal2, publicKey2, pair, nameConstraints, str, x500Name);
    }

    private static final BigInteger generateCertificateSerialNumber() {
        byte[] bArr = new byte[CERTIFICATE_SERIAL_NUMBER_LENGTH];
        CryptoUtilsInternal.newSecureRandom().nextBytes(bArr);
        bArr[0] = (byte) (((byte) (bArr[0] & 63)) | 64);
        return new BigInteger(bArr);
    }

    private static final void addCrlInfo(X509v3CertificateBuilder x509v3CertificateBuilder, String str, X500Name x500Name) {
        if (str != null) {
            x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(new DistributionPoint[]{new DistributionPoint(new DistributionPointName(new GeneralNames(new GeneralName(6, str))), (ReasonFlags) null, x500Name != null ? new GeneralNames(new GeneralName(x500Name)) : null)}));
        }
    }

    private static final X509Certificate toJca(X509CertificateHolder x509CertificateHolder) {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        byte[] encoded = x509CertificateHolder.getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "encoded");
        Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(encoded));
        if (!(generateCertificate instanceof X509Certificate)) {
            generateCertificate = null;
        }
        X509Certificate x509Certificate = (X509Certificate) generateCertificate;
        if (x509Certificate == null) {
            throw new IllegalArgumentException(("Not an X.509 certificate: " + x509CertificateHolder).toString());
        }
        return x509Certificate;
    }

    private static final Pair<Date, Date> getCertificateValidityWindow(Duration duration, Duration duration2, X509Certificate x509Certificate) {
        Instant truncatedTo = Instant.now().truncatedTo(ChronoUnit.DAYS);
        Instant minus = truncatedTo.minus((TemporalAmount) duration);
        Intrinsics.checkNotNullExpressionValue(minus, "startOfDayUTC - before");
        Date max = max(minus, x509Certificate != null ? x509Certificate.getNotBefore() : null);
        Instant plus = truncatedTo.plus((TemporalAmount) duration2);
        Intrinsics.checkNotNullExpressionValue(plus, "startOfDayUTC + after");
        return new Pair<>(max, min(plus, x509Certificate != null ? x509Certificate.getNotAfter() : null));
    }

    static /* synthetic */ Pair getCertificateValidityWindow$default(Duration duration, Duration duration2, X509Certificate x509Certificate, int i, Object obj) {
        if ((i & 4) != 0) {
            x509Certificate = (X509Certificate) null;
        }
        return getCertificateValidityWindow(duration, duration2, x509Certificate);
    }

    private static final Date max(Instant instant, Date date) {
        return (date == null || date.getTime() <= instant.toEpochMilli()) ? new Date(instant.toEpochMilli()) : date;
    }

    private static final Date min(Instant instant, Date date) {
        return (date == null || date.getTime() >= instant.toEpochMilli()) ? new Date(instant.toEpochMilli()) : date;
    }
}
