package net.corda.nodeapi.internal.protonwrapper.netty;

import io.netty.handler.ssl.SslHandler;
import java.security.KeyStore;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathChecker;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import kotlin.Metadata;
import kotlin.TypeCastException;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.collections.SetsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.StringCompanionObject;
import kotlin.text.StringsKt;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHash;
import net.corda.core.identity.CordaX500Name;
import net.corda.core.utilities.NetworkHostAndPort;
import net.corda.nodeapi.internal.ArtemisTcpTransport;
import net.corda.nodeapi.internal.config.CertificateStore;
import org.jetbrains.annotations.NotNull;

/* compiled from: SSLHelper.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, AMQPClient.NUM_CLIENT_THREADS}, k = AMQPClient.NUM_CLIENT_THREADS, d1 = {"��H\n��\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\"\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000b\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0002\b\u0002\u001a.\u0010\u0002\u001a\u00020\u00032\u0006\u0010\u0004\u001a\u00020\u00052\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\b0\u00072\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\fH��\u001a\u0018\u0010\r\u001a\u00020\u00032\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\fH��\u001a\u0018\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H��\u001a\u0010\u0010\u0014\u001a\u00020\u00012\u0006\u0010\u0015\u001a\u00020\bH��\u001a\u0012\u0010\u0016\u001a\u00020\u0017*\u00020\n2\u0006\u0010\u0018\u001a\u00020\u0011\u001a\u0012\u0010\u0016\u001a\u00020\u0017*\u00020\f2\u0006\u0010\u0010\u001a\u00020\u0011\"\u000e\u0010��\u001a\u00020\u0001X\u0082T¢\u0006\u0002\n��¨\u0006\u0019"}, d2 = {"HOSTNAME_FORMAT", "", "createClientSslHelper", "Lio/netty/handler/ssl/SslHandler;", "target", "Lnet/corda/core/utilities/NetworkHostAndPort;", "expectedRemoteLegalNames", "", "Lnet/corda/core/identity/CordaX500Name;", "keyManagerFactory", "Ljavax/net/ssl/KeyManagerFactory;", "trustManagerFactory", "Ljavax/net/ssl/TrustManagerFactory;", "createServerSslHelper", "initialiseTrustStoreAndEnableCrlChecking", "Ljavax/net/ssl/ManagerFactoryParameters;", "trustStore", "Lnet/corda/nodeapi/internal/config/CertificateStore;", "crlCheckSoftFail", "", "x500toHostName", "x500Name", "init", "", "keyStore", "node-api"})
/* loaded from: input_file:net/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt.class */
public final class SSLHelperKt {
    private static final String HOSTNAME_FORMAT = "%s.corda.net";

    @NotNull
    public static final SslHandler createClientSslHelper(@NotNull NetworkHostAndPort networkHostAndPort, @NotNull Set<CordaX500Name> set, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(networkHostAndPort, "target");
        Intrinsics.checkParameterIsNotNull(set, "expectedRemoteLegalNames");
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        Intrinsics.checkExpressionValueIsNotNull(trustManagers, "trustManagerFactory.trustManagers");
        List filterIsInstance = ArraysKt.filterIsInstance(trustManagers, X509ExtendedTrustManager.class);
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(filterIsInstance, 10));
        Iterator it = filterIsInstance.iterator();
        while (it.hasNext()) {
            arrayList.add(new LoggingTrustManagerWrapper((X509ExtendedTrustManager) it.next()));
        }
        Object[] array = arrayList.toArray(new LoggingTrustManagerWrapper[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sSLContext.init(keyManagers, (LoggingTrustManagerWrapper[]) array, CryptoUtils.newSecureRandom());
        SSLEngine createSSLEngine = sSLContext.createSSLEngine(networkHostAndPort.getHost(), networkHostAndPort.getPort());
        Intrinsics.checkExpressionValueIsNotNull(createSSLEngine, "sslEngine");
        createSSLEngine.setUseClientMode(true);
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array2 = tls_versions.toArray(new String[0]);
        if (array2 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        createSSLEngine.setEnabledProtocols((String[]) array2);
        List<String> cipher_suites = ArtemisTcpTransport.Companion.getCIPHER_SUITES();
        if (cipher_suites == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array3 = cipher_suites.toArray(new String[0]);
        if (array3 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        createSSLEngine.setEnabledCipherSuites((String[]) array3);
        createSSLEngine.setEnableSessionCreation(true);
        if (set.size() == 1) {
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            Intrinsics.checkExpressionValueIsNotNull(sSLParameters, "sslParameters");
            sSLParameters.setServerNames(CollectionsKt.listOf(new SNIHostName(x500toHostName((CordaX500Name) CollectionsKt.single(set)))));
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return new SslHandler(createSSLEngine);
    }

    @NotNull
    public static final SslHandler createServerSslHelper(@NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        Intrinsics.checkExpressionValueIsNotNull(trustManagers, "trustManagerFactory.trustManagers");
        List filterIsInstance = ArraysKt.filterIsInstance(trustManagers, X509ExtendedTrustManager.class);
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(filterIsInstance, 10));
        Iterator it = filterIsInstance.iterator();
        while (it.hasNext()) {
            arrayList.add(new LoggingTrustManagerWrapper((X509ExtendedTrustManager) it.next()));
        }
        Object[] array = arrayList.toArray(new LoggingTrustManagerWrapper[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sSLContext.init(keyManagers, (LoggingTrustManagerWrapper[]) array, CryptoUtils.newSecureRandom());
        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
        Intrinsics.checkExpressionValueIsNotNull(createSSLEngine, "sslEngine");
        createSSLEngine.setUseClientMode(false);
        createSSLEngine.setNeedClientAuth(true);
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array2 = tls_versions.toArray(new String[0]);
        if (array2 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        createSSLEngine.setEnabledProtocols((String[]) array2);
        List<String> cipher_suites = ArtemisTcpTransport.Companion.getCIPHER_SUITES();
        if (cipher_suites == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array3 = cipher_suites.toArray(new String[0]);
        if (array3 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        createSSLEngine.setEnabledCipherSuites((String[]) array3);
        createSSLEngine.setEnableSessionCreation(true);
        return new SslHandler(createSSLEngine);
    }

    @NotNull
    public static final ManagerFactoryParameters initialiseTrustStoreAndEnableCrlChecking(@NotNull CertificateStore certificateStore, boolean z) {
        Intrinsics.checkParameterIsNotNull(certificateStore, "trustStore");
        CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
        Intrinsics.checkExpressionValueIsNotNull(certPathBuilder, "certPathBuilder");
        CertPathChecker revocationChecker = certPathBuilder.getRevocationChecker();
        if (revocationChecker == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.security.cert.PKIXRevocationChecker");
        }
        PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) revocationChecker;
        pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
        if (z) {
            Set<PKIXRevocationChecker.Option> options = pKIXRevocationChecker.getOptions();
            Intrinsics.checkExpressionValueIsNotNull(options, "revocationChecker.options");
            pKIXRevocationChecker.setOptions(SetsKt.plus(options, PKIXRevocationChecker.Option.SOFT_FAIL));
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(certificateStore.getValue().getInternal(), new X509CertSelector());
        pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
        return new CertPathTrustManagerParameters(pKIXBuilderParameters);
    }

    public static final void init(@NotNull KeyManagerFactory keyManagerFactory, @NotNull CertificateStore certificateStore) {
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "$receiver");
        Intrinsics.checkParameterIsNotNull(certificateStore, "keyStore");
        KeyStore internal = certificateStore.getValue().getInternal();
        String entryPassword = certificateStore.getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        keyManagerFactory.init(internal, charArray);
    }

    public static final void init(@NotNull TrustManagerFactory trustManagerFactory, @NotNull CertificateStore certificateStore) {
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "$receiver");
        Intrinsics.checkParameterIsNotNull(certificateStore, "trustStore");
        trustManagerFactory.init(certificateStore.getValue().getInternal());
    }

    @NotNull
    public static final String x500toHostName(@NotNull CordaX500Name cordaX500Name) {
        Intrinsics.checkParameterIsNotNull(cordaX500Name, "x500Name");
        SecureHash.SHA256 sha256 = SecureHash.Companion.sha256(cordaX500Name.toString());
        StringCompanionObject stringCompanionObject = StringCompanionObject.INSTANCE;
        Object[] objArr = new Object[1];
        String take = StringsKt.take(sha256.toString(), 32);
        if (take == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        String lowerCase = take.toLowerCase();
        Intrinsics.checkExpressionValueIsNotNull(lowerCase, "(this as java.lang.String).toLowerCase()");
        objArr[0] = lowerCase;
        String format = String.format(HOSTNAME_FORMAT, Arrays.copyOf(objArr, objArr.length));
        Intrinsics.checkExpressionValueIsNotNull(format, "java.lang.String.format(format, *args)");
        return format;
    }
}
