package net.corda.node.internal;

import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.List;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import net.corda.node.services.config.ConfigUtilitiesKt;
import net.corda.node.services.config.NodeConfiguration;
import net.corda.nodeapi.internal.config.CertificateStoreSupplier;
import net.corda.nodeapi.internal.crypto.X509KeyStore;
import net.corda.nodeapi.internal.cryptoservice.CryptoService;
import net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: NodeKeyStoreUtilities.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 2, d1 = {"��\u001a\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\u001a\u000e\u0010��\u001a\u0004\u0018\u00010\u0001*\u00020\u0002H\u0002\u001a\u0014\u0010\u0003\u001a\u00020\u0004*\u00020\u00022\u0006\u0010\u0005\u001a\u00020\u0006H��\u001a\f\u0010\u0007\u001a\u00020\u0004*\u00020\u0002H\u0002¨\u0006\b"}, d2 = {"getCertificateStores", "Lnet/corda/node/internal/AllCertificateStores;", "Lnet/corda/node/services/config/NodeConfiguration;", "initKeyStores", "Ljava/security/cert/X509Certificate;", "cryptoService", "Lnet/corda/nodeapi/internal/cryptoservice/CryptoService;", "validateKeyStores", "node"})
/* loaded from: input_file:net/corda/node/internal/NodeKeyStoreUtilitiesKt.class */
public final class NodeKeyStoreUtilitiesKt {
    @NotNull
    public static final X509Certificate initKeyStores(@NotNull NodeConfiguration nodeConfiguration, @NotNull CryptoService cryptoService) {
        Intrinsics.checkParameterIsNotNull(nodeConfiguration, "$receiver");
        Intrinsics.checkParameterIsNotNull(cryptoService, "cryptoService");
        if (nodeConfiguration.getDevMode()) {
            ConfigUtilitiesKt.configureWithDevSSLCertificate(nodeConfiguration, cryptoService);
            if (cryptoService instanceof BCCryptoService) {
                ((BCCryptoService) cryptoService).resyncKeystore();
            }
        }
        return validateKeyStores(nodeConfiguration);
    }

    private static final X509Certificate validateKeyStores(@NotNull NodeConfiguration nodeConfiguration) {
        try {
            AllCertificateStores certificateStores = getCertificateStores(nodeConfiguration);
            if (certificateStores == null) {
                throw new IllegalArgumentException("One or more keyStores (identity or TLS) or trustStore not found. Please either copy your existing keys and certificates from another node, or if you don't have one yet, fill out the config file and run corda.jar initial-registration.".toString());
            }
            if (!certificateStores.getTrustStore().contains("cordarootca")) {
                throw new IllegalArgumentException("Alias for trustRoot key not found. Please ensure you have an updated trustStore file.".toString());
            }
            if (!certificateStores.getSslKeyStore().contains("cordaclienttls")) {
                throw new IllegalArgumentException("Alias for TLS key not found. Please ensure you have an updated TLS keyStore file.".toString());
            }
            if (!certificateStores.getIdentitiesKeyStore().contains("cordaclientca")) {
                throw new IllegalArgumentException("Alias for Node CA key not found. Please ensure you have an updated identity keyStore file.".toString());
            }
            X509Certificate x509Certificate = certificateStores.getTrustStore().get("cordarootca");
            X509Certificate x509Certificate2 = (X509Certificate) CollectionsKt.last((List) certificateStores.getSslKeyStore().query(new Function1<X509KeyStore, List<? extends X509Certificate>>() { // from class: net.corda.node.internal.NodeKeyStoreUtilitiesKt$validateKeyStores$sslCertChainRoot$1
                @NotNull
                public final List<X509Certificate> invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    return x509KeyStore.getCertificateChain("cordaclienttls");
                }
            }));
            X509Certificate x509Certificate3 = (X509Certificate) CollectionsKt.last((List) certificateStores.getIdentitiesKeyStore().query(new Function1<X509KeyStore, List<? extends X509Certificate>>() { // from class: net.corda.node.internal.NodeKeyStoreUtilitiesKt$validateKeyStores$nodeCaCertChainRoot$1
                @NotNull
                public final List<X509Certificate> invoke(@NotNull X509KeyStore x509KeyStore) {
                    Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                    return x509KeyStore.getCertificateChain("cordaclientca");
                }
            }));
            if (!Intrinsics.areEqual(x509Certificate2, x509Certificate)) {
                throw new IllegalArgumentException("TLS certificate must chain to the trusted root.".toString());
            }
            if (Intrinsics.areEqual(x509Certificate3, x509Certificate)) {
                return x509Certificate;
            }
            throw new IllegalArgumentException("Client CA certificate must chain to the trusted root.".toString());
        } catch (KeyStoreException e) {
            throw new IllegalArgumentException("At least one of the keystores or truststore passwords does not match configuration.");
        }
    }

    private static final AllCertificateStores getCertificateStores(@NotNull NodeConfiguration nodeConfiguration) {
        AllCertificateStores allCertificateStores;
        try {
            allCertificateStores = new AllCertificateStores(CertificateStoreSupplier.DefaultImpls.get$default(nodeConfiguration.getP2pSslOptions().getTrustStore(), false, 1, (Object) null), CertificateStoreSupplier.DefaultImpls.get$default(nodeConfiguration.getP2pSslOptions().getKeyStore(), false, 1, (Object) null), CertificateStoreSupplier.DefaultImpls.get$default(nodeConfiguration.getSigningCertificateStore(), false, 1, (Object) null));
        } catch (IOException e) {
            Logger logger = LoggerFactory.getLogger(NodeConfiguration.class);
            Intrinsics.checkExpressionValueIsNotNull(logger, "LoggerFactory.getLogger(T::class.java)");
            logger.error("IO exception while trying to validate keystores and truststore", e);
            allCertificateStores = null;
        }
        return allCertificateStores;
    }
}
