package net.corda.node.utilities.registration;

import java.io.Closeable;
import java.io.StringWriter;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.List;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import kotlin.AutoCloseableKt;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import net.corda.core.crypto.Crypto;
import net.corda.core.identity.CordaX500Name;
import net.corda.core.internal.CertRole;
import net.corda.core.internal.InternalUtils;
import net.corda.node.services.config.NodeConfiguration;
import net.corda.nodeapi.internal.crypto.CertificateType;
import net.corda.nodeapi.internal.crypto.X509KeyStore;
import net.corda.nodeapi.internal.crypto.X509Utilities;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.jetbrains.annotations.NotNull;

/* compiled from: NetworkRegistrationHelper.kt */
@Metadata(mv = {1, 1, 8}, bv = {1, 0, 2}, k = 1, d1 = {"��F\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0010 \n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018�� \u00192\u00020\u0001:\u0001\u0019B%\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0007\u0012\u0006\u0010\b\u001a\u00020\t¢\u0006\u0002\u0010\nJ\u0006\u0010\u0011\u001a\u00020\u0012J\u0016\u0010\u0013\u001a\b\u0012\u0004\u0012\u00020\u000e0\u00142\u0006\u0010\u0015\u001a\u00020\tH\u0002J\u0010\u0010\u0016\u001a\u00020\t2\u0006\u0010\u0017\u001a\u00020\u0018H\u0002R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u000b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\f\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\r\u001a\u00020\u000eX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u000f\u001a\u00020\u0010X\u0082\u0004¢\u0006\u0002\n��¨\u0006\u001a"}, d2 = {"Lnet/corda/node/utilities/registration/NetworkRegistrationHelper;", "", "config", "Lnet/corda/node/services/config/NodeConfiguration;", "certService", "Lnet/corda/node/utilities/registration/NetworkRegistrationService;", "networkRootTrustStorePath", "Ljava/nio/file/Path;", "networkRootTruststorePassword", "", "(Lnet/corda/node/services/config/NodeConfiguration;Lnet/corda/node/utilities/registration/NetworkRegistrationService;Ljava/nio/file/Path;Ljava/lang/String;)V", "privateKeyPassword", "requestIdStore", "rootCert", "Ljava/security/cert/X509Certificate;", "rootTrustStore", "Lnet/corda/nodeapi/internal/crypto/X509KeyStore;", "buildKeystore", "", "pollServerForCertificates", "", "requestId", "submitOrResumeCertificateSigningRequest", "keyPair", "Ljava/security/KeyPair;", "Companion", "node"})
/* loaded from: input_file:net/corda/node/utilities/registration/NetworkRegistrationHelper.class */
public final class NetworkRegistrationHelper {
    private final Path requestIdStore;
    private final String privateKeyPassword;
    private final X509KeyStore rootTrustStore;
    private final X509Certificate rootCert;
    private final NodeConfiguration config;
    private final NetworkRegistrationService certService;

    @NotNull
    public static final String SELF_SIGNED_PRIVATE_KEY = "Self Signed Private Key";
    public static final Companion Companion = new Companion(null);

    /* compiled from: NetworkRegistrationHelper.kt */
    @Metadata(mv = {1, 1, 8}, bv = {1, 0, 2}, k = 1, d1 = {"��\u0012\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\u000e\n��\b\u0082\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n��¨\u0006\u0005"}, d2 = {"Lnet/corda/node/utilities/registration/NetworkRegistrationHelper$Companion;", "", "()V", "SELF_SIGNED_PRIVATE_KEY", "", "node"})
    /* loaded from: input_file:net/corda/node/utilities/registration/NetworkRegistrationHelper$Companion.class */
    private static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public final void buildKeystore() {
        InternalUtils.createDirectories(this.config.getCertificatesDirectory(), new FileAttribute[0]);
        X509KeyStore loadNodeKeyStore = this.config.loadNodeKeyStore(true);
        if (loadNodeKeyStore.contains("cordaclientca")) {
            System.out.println((Object) "Certificate already exists, Corda node will now terminate...");
            return;
        }
        if (!loadNodeKeyStore.contains(SELF_SIGNED_PRIVATE_KEY)) {
            KeyPair generateKeyPair = Crypto.generateKeyPair(X509Utilities.INSTANCE.getDEFAULT_TLS_SIGNATURE_SCHEME());
            X509Certificate createSelfSignedCACertificate$default = X509Utilities.createSelfSignedCACertificate$default(this.config.getMyLegalName().getX500Principal(), generateKeyPair, (Pair) null, 4, (Object) null);
            PrivateKey privateKey = generateKeyPair.getPrivate();
            Intrinsics.checkExpressionValueIsNotNull(privateKey, "keyPair.private");
            loadNodeKeyStore.setPrivateKey(SELF_SIGNED_PRIVATE_KEY, privateKey, CollectionsKt.listOf(createSelfSignedCACertificate$default), this.privateKeyPassword);
            loadNodeKeyStore.save();
        }
        final KeyPair keyPair = loadNodeKeyStore.getCertificateAndKeyPair(SELF_SIGNED_PRIVATE_KEY, this.privateKeyPassword).getKeyPair();
        try {
            final List<X509Certificate> pollServerForCertificates = pollServerForCertificates(submitOrResumeCertificateSigningRequest(keyPair));
            final X509Certificate x509Certificate = pollServerForCertificates.get(0);
            try {
                CordaX500Name.Companion companion = CordaX500Name.Companion;
                X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                Intrinsics.checkExpressionValueIsNotNull(subjectX500Principal, "nodeCaCert.subjectX500Principal");
                CordaX500Name build = companion.build(subjectX500Principal);
                if (!Intrinsics.areEqual(build, this.config.getMyLegalName())) {
                    throw ((Throwable) new CertificateRequestException("Subject of received node CA cert doesn't match with node legal name: " + build));
                }
                try {
                    CertRole extract = CertRole.Companion.extract(x509Certificate);
                    if (!Intrinsics.areEqual(extract, CertRole.NODE_CA)) {
                        throw ((Throwable) new CertificateRequestException("Received node CA cert has invalid role: " + extract));
                    }
                    X509Utilities.INSTANCE.validateCertificateChain(this.rootCert, pollServerForCertificates);
                    System.out.println((Object) "Certificate signing request approved, storing private key with the certificate chain.");
                    PrivateKey privateKey2 = keyPair.getPrivate();
                    Intrinsics.checkExpressionValueIsNotNull(privateKey2, "keyPair.private");
                    loadNodeKeyStore.setPrivateKey("cordaclientca", privateKey2, pollServerForCertificates, this.privateKeyPassword);
                    loadNodeKeyStore.getInternal().deleteEntry(SELF_SIGNED_PRIVATE_KEY);
                    loadNodeKeyStore.save();
                    System.out.println((Object) ("Node private key and certificate stored in " + this.config.getNodeKeystore() + '.'));
                    this.config.loadTrustStore(true).update(new Function1<X509KeyStore, Unit>() { // from class: net.corda.node.utilities.registration.NetworkRegistrationHelper$buildKeystore$1
                        public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                            invoke((X509KeyStore) obj);
                            return Unit.INSTANCE;
                        }

                        public final void invoke(@NotNull X509KeyStore x509KeyStore) {
                            Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                            System.out.println((Object) "Generating trust store for corda node.");
                            x509KeyStore.setCertificate("cordarootca", (X509Certificate) CollectionsKt.last(pollServerForCertificates));
                        }

                        /* JADX INFO: Access modifiers changed from: package-private */
                        /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                        {
                            super(1);
                        }
                    });
                    System.out.println((Object) ("Node trust store stored in " + this.config.getTrustStoreFile() + '.'));
                    this.config.loadSslKeyStore(true).update(new Function1<X509KeyStore, Unit>() { // from class: net.corda.node.utilities.registration.NetworkRegistrationHelper$buildKeystore$2
                        public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                            invoke((X509KeyStore) obj);
                            return Unit.INSTANCE;
                        }

                        public final void invoke(@NotNull X509KeyStore x509KeyStore) {
                            NodeConfiguration nodeConfiguration;
                            Intrinsics.checkParameterIsNotNull(x509KeyStore, "$receiver");
                            System.out.println((Object) "Generating SSL certificate for node messaging service.");
                            KeyPair generateKeyPair2 = Crypto.generateKeyPair(X509Utilities.INSTANCE.getDEFAULT_TLS_SIGNATURE_SCHEME());
                            CertificateType certificateType = CertificateType.TLS;
                            X509Certificate x509Certificate2 = x509Certificate;
                            KeyPair keyPair2 = keyPair;
                            nodeConfiguration = NetworkRegistrationHelper.this.config;
                            X500Principal x500Principal = nodeConfiguration.getMyLegalName().getX500Principal();
                            PublicKey publicKey = generateKeyPair2.getPublic();
                            Intrinsics.checkExpressionValueIsNotNull(publicKey, "sslKeyPair.public");
                            X509Certificate createCertificate$default = X509Utilities.createCertificate$default(certificateType, x509Certificate2, keyPair2, x500Principal, publicKey, (Pair) null, (NameConstraints) null, 96, (Object) null);
                            PrivateKey privateKey3 = generateKeyPair2.getPrivate();
                            Intrinsics.checkExpressionValueIsNotNull(privateKey3, "sslKeyPair.private");
                            X509KeyStore.setPrivateKey$default(x509KeyStore, "cordaclienttls", privateKey3, CollectionsKt.plus(CollectionsKt.listOf(createCertificate$default), pollServerForCertificates), (String) null, 8, (Object) null);
                        }

                        /* JADX INFO: Access modifiers changed from: package-private */
                        /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                        {
                            super(1);
                        }
                    });
                    System.out.println((Object) ("SSL private key and certificate stored in " + this.config.getSslKeystore() + '.'));
                    InternalUtils.deleteIfExists(this.requestIdStore);
                } catch (IllegalArgumentException e) {
                    throw ((Throwable) new CertificateRequestException("Unable to extract cert role from received node CA cert: " + e.getMessage()));
                }
            } catch (IllegalArgumentException e2) {
                throw ((Throwable) new CertificateRequestException("Received node CA cert has invalid subject name: " + e2.getMessage()));
            }
        } catch (CertificateRequestException e3) {
            System.err.println(e3.getMessage());
            System.err.println("Please make sure the details in configuration file are correct and try again.");
            System.err.println("Corda node will now terminate.");
            InternalUtils.deleteIfExists(this.requestIdStore);
            throw ((Throwable) e3);
        }
    }

    private final List<X509Certificate> pollServerForCertificates(String str) {
        System.out.println((Object) "Start polling server for certificate signing approval.");
        while (true) {
            CertificateResponse retrieveCertificates = this.certService.retrieveCertificates(str);
            Duration component1 = retrieveCertificates.component1();
            List<X509Certificate> component2 = retrieveCertificates.component2();
            if (component2 != null) {
                return component2;
            }
            Thread.sleep(component1.toMillis());
        }
    }

    private final String submitOrResumeCertificateSigningRequest(KeyPair keyPair) {
        if (InternalUtils.exists(this.requestIdStore, new LinkOption[0])) {
            Path path = this.requestIdStore;
            Charset charset = StandardCharsets.UTF_8;
            Intrinsics.checkExpressionValueIsNotNull(charset, "UTF_8");
            Stream<String> lines = Files.lines(path, charset);
            Throwable th = (Throwable) null;
            try {
                try {
                    String str = lines.findFirst().get();
                    AutoCloseableKt.closeFinally(lines, th);
                    System.out.println((Object) ("Resuming from previous certificate signing request, request ID: " + str + '.'));
                    Intrinsics.checkExpressionValueIsNotNull(str, "requestId");
                    return str;
                } catch (Throwable th2) {
                    th = th2;
                    throw th2;
                }
            } catch (Throwable th3) {
                AutoCloseableKt.closeFinally(lines, th);
                throw th3;
            }
        }
        PKCS10CertificationRequest createCertificateSigningRequest = X509Utilities.INSTANCE.createCertificateSigningRequest(this.config.getMyLegalName().getX500Principal(), this.config.getEmailAddress(), keyPair);
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = (Closeable) new JcaPEMWriter(stringWriter);
        try {
            try {
                jcaPEMWriter.writeObject(new PemObject("CERTIFICATE REQUEST", createCertificateSigningRequest.getEncoded()));
                Unit unit = Unit.INSTANCE;
                jcaPEMWriter.close();
                System.out.println((Object) "Certificate signing request with the following information will be submitted to the Corda certificate signing server.");
                System.out.println();
                System.out.println((Object) ("Legal Name: " + this.config.getMyLegalName()));
                System.out.println((Object) ("Email: " + this.config.getEmailAddress()));
                System.out.println();
                System.out.println((Object) ("Public Key: " + keyPair.getPublic()));
                System.out.println();
                System.out.println((Object) ("" + stringWriter));
                System.out.println((Object) "Submitting certificate signing request to Corda certificate signing server.");
                String submitRequest = this.certService.submitRequest(createCertificateSigningRequest);
                InternalUtils.writeLines$default(this.requestIdStore, CollectionsKt.listOf(submitRequest), (Charset) null, new OpenOption[0], 2, (Object) null);
                System.out.println((Object) ("Successfully submitted request to Corda certificate signing server, request ID: " + submitRequest + '.'));
                return submitRequest;
            } catch (Throwable th4) {
                if (0 == 0) {
                    jcaPEMWriter.close();
                }
                throw th4;
            }
        } catch (Exception e) {
            try {
                jcaPEMWriter.close();
            } catch (Exception e2) {
            }
            throw e;
        }
    }

    public NetworkRegistrationHelper(@NotNull NodeConfiguration nodeConfiguration, @NotNull NetworkRegistrationService networkRegistrationService, @NotNull Path path, @NotNull String str) {
        Intrinsics.checkParameterIsNotNull(nodeConfiguration, "config");
        Intrinsics.checkParameterIsNotNull(networkRegistrationService, "certService");
        Intrinsics.checkParameterIsNotNull(path, "networkRootTrustStorePath");
        Intrinsics.checkParameterIsNotNull(str, "networkRootTruststorePassword");
        this.config = nodeConfiguration;
        this.certService = networkRegistrationService;
        this.requestIdStore = InternalUtils.div(this.config.getCertificatesDirectory(), "certificate-request-id.txt");
        this.privateKeyPassword = this.config.getKeyStorePassword();
        if (!InternalUtils.exists(path, new LinkOption[0])) {
            throw new IllegalArgumentException(("" + path + " does not exist. This file must contain the root CA cert of your compatibility zone. Please contact your CZ operator.").toString());
        }
        this.rootTrustStore = X509KeyStore.Companion.fromFile$default(X509KeyStore.Companion, path, str, false, 4, (Object) null);
        this.rootCert = this.rootTrustStore.getCertificate("cordarootca");
    }
}
