package net.corda.nodeapi.internal.cryptoservice.bouncycastle;

import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import net.corda.core.crypto.Crypto;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHashKt;
import net.corda.core.crypto.SignatureScheme;
import net.corda.core.crypto.internal.ProviderMapKt;
import net.corda.nodeapi.internal.config.CertificateStore;
import net.corda.nodeapi.internal.config.CertificateStoreSupplier;
import net.corda.nodeapi.internal.crypto.ContentSignerBuilder;
import net.corda.nodeapi.internal.crypto.X509KeyStore;
import net.corda.nodeapi.internal.crypto.X509Utilities;
import net.corda.nodeapi.internal.cryptoservice.CryptoService;
import net.corda.nodeapi.internal.cryptoservice.CryptoServiceException;
import net.corda.nodeapi.internal.cryptoservice.SupportedCryptoServices;
import net.corda.nodeapi.internal.protonwrapper.netty.AMQPClient;
import org.bouncycastle.operator.ContentSigner;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: BCCryptoService.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, AMQPClient.NUM_CLIENT_THREADS}, k = 1, d1 = {"��^\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u000b\n��\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0002\b\u0004\u0018��2\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005¢\u0006\u0002\u0010\u0006J\u0010\u0010\r\u001a\u00020\u000e2\u0006\u0010\u000f\u001a\u00020\u0010H\u0016J\b\u0010\u0011\u001a\u00020\u0012H\u0016J\b\u0010\u0013\u001a\u00020\u0012H\u0016J\u0018\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u0016\u001a\u00020\u0012H\u0016J\u0010\u0010\u0017\u001a\u00020\u00152\u0006\u0010\u000f\u001a\u00020\u0010H\u0016J\u0010\u0010\u0018\u001a\u00020\u00192\u0006\u0010\u000f\u001a\u00020\u0010H\u0016J\b\u0010\u001a\u001a\u00020\u001bH\u0016J\u0016\u0010\u001c\u001a\u00020\u001d2\u0006\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u001e\u001a\u00020\u001fJ\u0006\u0010 \u001a\u00020\u001dJ\"\u0010!\u001a\u00020\"2\u0006\u0010\u000f\u001a\u00020\u00102\u0006\u0010#\u001a\u00020\"2\b\u0010$\u001a\u0004\u0018\u00010\u0010H\u0016J \u0010%\u001a\u00020\"2\u0006\u0010\u000f\u001a\u00020\u00102\u0006\u0010#\u001a\u00020\"2\u0006\u0010$\u001a\u00020\u0010H\u0002R\u001a\u0010\u0007\u001a\u00020\bX\u0086\u000e¢\u0006\u000e\n��\u001a\u0004\b\t\u0010\n\"\u0004\b\u000b\u0010\fR\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u0006&"}, d2 = {"Lnet/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService;", "Lnet/corda/nodeapi/internal/cryptoservice/CryptoService;", "legalName", "Ljavax/security/auth/x500/X500Principal;", "certificateStoreSupplier", "Lnet/corda/nodeapi/internal/config/CertificateStoreSupplier;", "(Ljavax/security/auth/x500/X500Principal;Lnet/corda/nodeapi/internal/config/CertificateStoreSupplier;)V", "certificateStore", "Lnet/corda/nodeapi/internal/config/CertificateStore;", "getCertificateStore", "()Lnet/corda/nodeapi/internal/config/CertificateStore;", "setCertificateStore", "(Lnet/corda/nodeapi/internal/config/CertificateStore;)V", "containsKey", "", "alias", "", "defaultIdentitySignatureScheme", "Lnet/corda/core/crypto/SignatureScheme;", "defaultTLSSignatureScheme", "generateKeyPair", "Ljava/security/PublicKey;", "scheme", "getPublicKey", "getSigner", "Lorg/bouncycastle/operator/ContentSigner;", "getType", "Lnet/corda/nodeapi/internal/cryptoservice/SupportedCryptoServices;", "importKey", "", "keyPair", "Ljava/security/KeyPair;", "resyncKeystore", "sign", "", "data", "signAlgorithm", "signWithAlgorithm", "node-api"})
/* loaded from: input_file:net/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService.class */
public final class BCCryptoService implements CryptoService {

    @NotNull
    private CertificateStore certificateStore;
    private final X500Principal legalName;
    private final CertificateStoreSupplier certificateStoreSupplier;

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public SupportedCryptoServices getType() {
        return SupportedCryptoServices.BC_SIMPLE;
    }

    @NotNull
    public final CertificateStore getCertificateStore() {
        return this.certificateStore;
    }

    public final void setCertificateStore(@NotNull CertificateStore certificateStore) {
        Intrinsics.checkParameterIsNotNull(certificateStore, "<set-?>");
        this.certificateStore = certificateStore;
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public PublicKey generateKeyPair(@NotNull String str, @NotNull SignatureScheme signatureScheme) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        Intrinsics.checkParameterIsNotNull(signatureScheme, "scheme");
        try {
            KeyPair generateKeyPair = Crypto.generateKeyPair(signatureScheme);
            importKey(str, generateKeyPair);
            PublicKey publicKey = generateKeyPair.getPublic();
            Intrinsics.checkExpressionValueIsNotNull(publicKey, "keyPair.public");
            return publicKey;
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot generate key for alias " + str + " and signature scheme " + signatureScheme.getSchemeCodeName() + " (id " + signatureScheme.getSchemeNumberID() + ')', e);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    public boolean containsKey(@NotNull String str) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        return this.certificateStore.contains(str);
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public PublicKey getPublicKey(@NotNull final String str) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        try {
            return (PublicKey) this.certificateStore.query(new Function1<X509KeyStore, PublicKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$getPublicKey$1
                @NotNull
                public final PublicKey invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    return x509KeyStore.getPublicKey(str);
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot get public key for alias " + str, e);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public byte[] sign(@NotNull final String str, @NotNull byte[] bArr, @Nullable String str2) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        Intrinsics.checkParameterIsNotNull(bArr, "data");
        try {
            return str2 == null ? Crypto.doSign((PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$sign$1
                @NotNull
                public final PrivateKey invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    return x509KeyStore.getPrivateKey(str, BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            }), bArr) : signWithAlgorithm(str, bArr, str2);
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot sign using the key with alias " + str + ". SHA256 of data to be signed: " + SecureHashKt.sha256(bArr), e);
        }
    }

    private final byte[] signWithAlgorithm(final String str, byte[] bArr, String str2) {
        PrivateKey privateKey = (PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$signWithAlgorithm$privateKey$1
            @NotNull
            public final PrivateKey invoke(@NotNull X509KeyStore x509KeyStore) {
                Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                return x509KeyStore.getPrivateKey(str, BCCryptoService.this.getCertificateStore().getEntryPassword());
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(1);
            }
        });
        Signature signature = Signature.getInstance(str2, ProviderMapKt.getCordaBouncyCastleProvider());
        signature.initSign(privateKey, CryptoUtils.newSecureRandom());
        signature.update(bArr);
        byte[] sign = signature.sign();
        Intrinsics.checkExpressionValueIsNotNull(sign, "signature.sign()");
        return sign;
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public ContentSigner getSigner(@NotNull final String str) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        try {
            PrivateKey privateKey = (PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$getSigner$privateKey$1
                @NotNull
                public final PrivateKey invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    return x509KeyStore.getPrivateKey(str, BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
            SignatureScheme findSignatureScheme = Crypto.findSignatureScheme(privateKey);
            return ContentSignerBuilder.INSTANCE.build(findSignatureScheme, privateKey, Crypto.findProvider(findSignatureScheme.getProviderName()), CryptoUtils.newSecureRandom());
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot get Signer for key with alias " + str, e);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public SignatureScheme defaultIdentitySignatureScheme() {
        return X509Utilities.INSTANCE.getDEFAULT_IDENTITY_SIGNATURE_SCHEME();
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public SignatureScheme defaultTLSSignatureScheme() {
        return X509Utilities.INSTANCE.getDEFAULT_TLS_SIGNATURE_SCHEME();
    }

    public final void resyncKeystore() {
        this.certificateStore = this.certificateStoreSupplier.get(true);
    }

    public final void importKey(@NotNull final String str, @NotNull final KeyPair keyPair) {
        Intrinsics.checkParameterIsNotNull(str, "alias");
        Intrinsics.checkParameterIsNotNull(keyPair, "keyPair");
        try {
            final X509Certificate createSelfSignedCACertificate$default = X509Utilities.createSelfSignedCACertificate$default(this.legalName, keyPair, null, 4, null);
            this.certificateStore.query(new Function1<X509KeyStore, Unit>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$importKey$1
                public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                    invoke((X509KeyStore) obj);
                    return Unit.INSTANCE;
                }

                public final void invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    String str2 = str;
                    PrivateKey privateKey = keyPair.getPrivate();
                    Intrinsics.checkExpressionValueIsNotNull(privateKey, "keyPair.private");
                    x509KeyStore.setPrivateKey(str2, privateKey, CollectionsKt.listOf(createSelfSignedCACertificate$default), BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot import key with alias " + str, e);
        }
    }

    public BCCryptoService(@NotNull X500Principal x500Principal, @NotNull CertificateStoreSupplier certificateStoreSupplier) {
        Intrinsics.checkParameterIsNotNull(x500Principal, "legalName");
        Intrinsics.checkParameterIsNotNull(certificateStoreSupplier, "certificateStoreSupplier");
        this.legalName = x500Principal;
        this.certificateStoreSupplier = certificateStoreSupplier;
        this.certificateStore = this.certificateStoreSupplier.get(true);
    }
}
