package net.corda.nodeapi.internal.protonwrapper.netty;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SniHandler;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.DomainWildcardMappingBuilder;
import java.net.URI;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.concurrent.ThreadPoolExecutor;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Pair;
import kotlin.TuplesKt;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.collections.MapsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.jvm.internal.StringCompanionObject;
import kotlin.ranges.RangesKt;
import kotlin.text.StringsKt;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHash;
import net.corda.core.identity.CordaX500Name;
import net.corda.core.utilities.NetworkHostAndPort;
import net.corda.nodeapi.internal.ArtemisTcpTransport;
import net.corda.nodeapi.internal.NodeApiUtilsKt;
import net.corda.nodeapi.internal.config.CertificateStore;
import net.corda.nodeapi.internal.crypto.KeyStoreUtilities;
import net.corda.nodeapi.internal.crypto.X509UtilitiesKt;
import net.corda.nodeapi.internal.protonwrapper.netty.RevocationConfig;
import net.corda.nodeapi.internal.revocation.CordaRevocationChecker;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: SSLHelper.kt */
@Metadata(mv = {1, 9, 0}, k = 2, xi = 48, d1 = {"��°\u0001\n��\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0011\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\"\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0010$\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u0012\n��\u001a\u001d\u0010\t\u001a\u00020\u00012\u0010\u0010\n\u001a\f\u0012\u0006\b\u0001\u0012\u00020\f\u0018\u00010\u000b¢\u0006\u0002\u0010\r\u001a\u0018\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\b\u0010\u0012\u001a\u0004\u0018\u00010\u0013\u001a>\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\f\u0010\u0018\u001a\b\u0012\u0004\u0012\u00020\u001a0\u00192\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u001eH��\u001a6\u0010\u001f\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\f\u0010\u0018\u001a\b\u0012\u0004\u0012\u00020\u001a0\u00192\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001d\u001a\u00020\u001eH��\u001a(\u0010 \u001a\u00020\u00152\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u001eH��\u001a$\u0010!\u001a\u00020\"2\u0012\u0010#\u001a\u000e\u0012\u0004\u0012\u00020\u0001\u0012\u0004\u0012\u00020\u00110$2\u0006\u0010\u0012\u001a\u00020\u0013H��\u001a(\u0010%\u001a\u00020\u00152\u0006\u0010&\u001a\u00020'2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001d\u001a\u00020\u001eH��\u001a\u0018\u0010(\u001a\u00020)2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H\u0002\u001a\u000e\u0010\u0010\u001a\u00020\u00112\u0006\u0010&\u001a\u00020'\u001a\u001c\u0010*\u001a\u000e\u0012\u0004\u0012\u00020\u0001\u0012\u0004\u0012\u00020+0$2\u0006\u0010,\u001a\u00020-H��\u001a\u000e\u0010.\u001a\u00020/2\u0006\u00100\u001a\u00020\u0001\u001a\u000e\u0010\u0012\u001a\u00020\u00132\u0006\u00101\u001a\u00020'\u001a\u001e\u00102\u001a\u00020\u00132\u0006\u00101\u001a\u00020'2\u0006\u00103\u001a\u0002042\u0006\u00105\u001a\u000206\u001a\u0010\u00107\u001a\u00020\u00012\u0006\u00108\u001a\u00020\u001aH��\u001a\u001e\u00109\u001a\u0016\u0012\u0004\u0012\u00020:\u0012\f\u0012\n\u0012\u0004\u0012\u00020<\u0018\u00010;0$*\u00020\f\u001a\n\u0010=\u001a\u00020\u0001*\u00020\f\u001a\u0012\u0010>\u001a\u00020?*\u00020\u00112\u0006\u0010&\u001a\u00020'\u001a\n\u0010@\u001a\u00020A*\u00020B\"\u000e\u0010��\u001a\u00020\u0001X\u0080T¢\u0006\u0002\n��\"\u000e\u0010\u0002\u001a\u00020\u0001X\u0080T¢\u0006\u0002\n��\"\u000e\u0010\u0003\u001a\u00020\u0001X\u0082T¢\u0006\u0002\n��\"\u001c\u0010\u0004\u001a\n \u0006*\u0004\u0018\u00010\u00050\u0005X\u0080\u0004¢\u0006\b\n��\u001a\u0004\b\u0007\u0010\b¨\u0006C"}, d2 = {"DEFAULT", "", "DP_DEFAULT_ANSWER", "HOSTNAME_FORMAT", "logger", "Lorg/slf4j/Logger;", "kotlin.jvm.PlatformType", "getLogger", "()Lorg/slf4j/Logger;", "certPathToString", "certPath", "", "Ljava/security/cert/X509Certificate;", "([Ljava/security/cert/X509Certificate;)Ljava/lang/String;", "createAndInitSslContext", "Ljavax/net/ssl/SSLContext;", "keyManagerFactory", "Ljavax/net/ssl/KeyManagerFactory;", "trustManagerFactory", "Ljavax/net/ssl/TrustManagerFactory;", "createClientOpenSslHandler", "Lio/netty/handler/ssl/SslHandler;", "target", "Lnet/corda/core/utilities/NetworkHostAndPort;", "expectedRemoteLegalNames", "", "Lnet/corda/core/identity/CordaX500Name;", "alloc", "Lio/netty/buffer/ByteBufAllocator;", "delegateTaskExecutor", "Ljava/util/concurrent/Executor;", "createClientSslHandler", "createServerOpenSslHandler", "createServerSNIOpenSniHandler", "Lio/netty/handler/ssl/SniHandler;", "keyManagerFactoriesMap", "", "createServerSslHandler", "keyStore", "Lnet/corda/nodeapi/internal/config/CertificateStore;", "getServerSslContextBuilder", "Lio/netty/handler/ssl/SslContextBuilder;", "splitKeystore", "Lnet/corda/nodeapi/internal/protonwrapper/netty/CertHoldingKeyManagerFactoryWrapper;", "config", "Lnet/corda/nodeapi/internal/protonwrapper/netty/AMQPConfiguration;", "sslDelegatedTaskExecutor", "Ljava/util/concurrent/ThreadPoolExecutor;", "parentPoolName", "trustStore", "trustManagerFactoryWithRevocation", "revocationConfig", "Lnet/corda/nodeapi/internal/protonwrapper/netty/RevocationConfig;", "crlSource", "Lnet/corda/nodeapi/internal/protonwrapper/netty/CrlSource;", "x500toHostName", "x500Name", "distributionPoints", "Ljava/net/URI;", "", "Ljavax/security/auth/x500/X500Principal;", "distributionPointsToString", "init", "", "toAsn1Object", "Lorg/bouncycastle/asn1/ASN1Primitive;", "", "node-api"})
@SourceDebugExtension({"SMAP\nSSLHelper.kt\nKotlin\n*S Kotlin\n*F\n+ 1 SSLHelper.kt\nnet/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt\n+ 2 KotlinUtils.kt\nnet/corda/core/utilities/KotlinUtilsKt\n+ 3 _Arrays.kt\nkotlin/collections/ArraysKt___ArraysKt\n+ 4 fake.kt\nkotlin/jvm/internal/FakeKt\n+ 5 ArraysJVM.kt\nkotlin/collections/ArraysKt__ArraysJVMKt\n+ 6 _Maps.kt\nkotlin/collections/MapsKt___MapsKt\n+ 7 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,355:1\n50#2,2:356\n11383#3,9:358\n13309#3:367\n13310#3:369\n11392#3:370\n11065#3:383\n11400#3,3:384\n1#4:368\n37#5,2:371\n37#5,2:373\n37#5,2:375\n37#5,2:377\n37#5,2:379\n37#5,2:381\n37#5,2:387\n215#6,2:389\n1179#7,2:391\n1253#7,4:393\n*S KotlinDebug\n*F\n+ 1 SSLHelper.kt\nnet/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt\n*L\n66#1:356,2\n91#1:358,9\n91#1:367\n91#1:369\n91#1:370\n261#1:383\n261#1:384,3\n91#1:368\n201#1:371,2\n202#1:373,2\n220#1:375,2\n221#1:377,2\n238#1:379,2\n239#1:381,2\n262#1:387,2\n275#1:389,2\n293#1:391,2\n293#1:393,4\n*E\n"})
/* loaded from: input_file:net/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt.class */
public final class SSLHelperKt {

    @NotNull
    private static final String HOSTNAME_FORMAT = "%s.corda.net";

    @NotNull
    public static final String DEFAULT = "default";

    @NotNull
    public static final String DP_DEFAULT_ANSWER = "NO CRLDP ext";
    private static final Logger logger = LoggerFactory.getLogger("net.corda.nodeapi.internal.protonwrapper.netty.SSLHelper");

    /* compiled from: SSLHelper.kt */
    @Metadata(mv = {1, 9, 0}, k = 3, xi = 48)
    /* loaded from: input_file:net/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt$WhenMappings.class */
    public /* synthetic */ class WhenMappings {
        public static final /* synthetic */ int[] $EnumSwitchMapping$0;

        static {
            int[] iArr = new int[RevocationConfig.Mode.values().length];
            try {
                iArr[RevocationConfig.Mode.OFF.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                iArr[RevocationConfig.Mode.EXTERNAL_SOURCE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                iArr[RevocationConfig.Mode.SOFT_FAIL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                iArr[RevocationConfig.Mode.HARD_FAIL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            $EnumSwitchMapping$0 = iArr;
        }
    }

    public static final Logger getLogger() {
        return logger;
    }

    @NotNull
    public static final Map<URI, List<X500Principal>> distributionPoints(@NotNull X509Certificate x509Certificate) {
        ArrayList arrayList;
        GeneralName[] names;
        Intrinsics.checkNotNullParameter(x509Certificate, "<this>");
        Logger logger2 = logger;
        Intrinsics.checkNotNull(logger2);
        if (logger2.isDebugEnabled()) {
            logger2.debug("Checking CRLDPs for " + x509Certificate.getSubjectX500Principal());
        }
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId());
        if (extensionValue == null) {
            logger.debug(DP_DEFAULT_ANSWER);
            return MapsKt.emptyMap();
        }
        DEROctetString asn1Object = toAsn1Object(extensionValue);
        DEROctetString dEROctetString = asn1Object instanceof DEROctetString ? asn1Object : null;
        if (dEROctetString == null) {
            logger.error("Expected to have DEROctetString, actual type: " + asn1Object.getClass());
            return MapsKt.emptyMap();
        }
        byte[] octets = dEROctetString.getOctets();
        Intrinsics.checkNotNullExpressionValue(octets, "getOctets(...)");
        ASN1Primitive asn1Object2 = toAsn1Object(octets);
        CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(asn1Object2);
        if (cRLDistPoint == null) {
            logger.error("Could not instantiate CRLDistPoint, from: " + asn1Object2);
            return MapsKt.emptyMap();
        }
        HashMap hashMap = new HashMap();
        DistributionPoint[] distributionPoints = cRLDistPoint.getDistributionPoints();
        Intrinsics.checkNotNullExpressionValue(distributionPoints, "getDistributionPoints(...)");
        for (DistributionPoint distributionPoint : distributionPoints) {
            DistributionPointName distributionPoint2 = distributionPoint.getDistributionPoint();
            if (distributionPoint2 != null ? distributionPoint2.getType() == 0 : false) {
                GeneralNames cRLIssuer = distributionPoint.getCRLIssuer();
                if (cRLIssuer == null || (names = cRLIssuer.getNames()) == null) {
                    arrayList = null;
                } else {
                    ArrayList arrayList2 = new ArrayList();
                    for (GeneralName generalName : names) {
                        X500Principal x500Principal = generalName.getTagNo() == 4 ? new X500Principal(X500Name.getInstance(generalName.getName()).getEncoded()) : null;
                        if (x500Principal != null) {
                            arrayList2.add(x500Principal);
                        }
                    }
                    arrayList = arrayList2;
                }
                ArrayList arrayList3 = arrayList;
                GeneralName[] names2 = GeneralNames.getInstance(distributionPoint2.getName()).getNames();
                Intrinsics.checkNotNullExpressionValue(names2, "getNames(...)");
                for (GeneralName generalName2 : names2) {
                    if (generalName2.getTagNo() == 6) {
                        hashMap.put(new URI(ASN1IA5String.getInstance(generalName2.getName()).getString()), arrayList3);
                    }
                }
            }
        }
        return hashMap;
    }

    @NotNull
    public static final String distributionPointsToString(@NotNull X509Certificate x509Certificate) {
        Intrinsics.checkNotNullParameter(x509Certificate, "<this>");
        Set<URI> keySet = distributionPoints(x509Certificate).keySet();
        return keySet.isEmpty() ? DP_DEFAULT_ANSWER : CollectionsKt.joinToString$default(CollectionsKt.sorted(keySet), (CharSequence) null, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, (Function1) null, 63, (Object) null);
    }

    @NotNull
    public static final ASN1Primitive toAsn1Object(@NotNull byte[] bArr) {
        Intrinsics.checkNotNullParameter(bArr, "<this>");
        ASN1Primitive readObject = new ASN1InputStream(bArr).readObject();
        Intrinsics.checkNotNullExpressionValue(readObject, "readObject(...)");
        return readObject;
    }

    @NotNull
    public static final String certPathToString(@Nullable X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null) {
            return "<empty certpath>";
        }
        String lineSeparator = System.lineSeparator();
        Intrinsics.checkNotNullExpressionValue(lineSeparator, "lineSeparator(...)");
        return ArraysKt.joinToString$default(x509CertificateArr, lineSeparator, (CharSequence) null, (CharSequence) null, 0, (CharSequence) null, new Function1<X509Certificate, CharSequence>() { // from class: net.corda.nodeapi.internal.protonwrapper.netty.SSLHelperKt$certPathToString$1
            @NotNull
            public final CharSequence invoke(@NotNull X509Certificate x509Certificate) {
                Intrinsics.checkNotNullParameter(x509Certificate, "it");
                return "  " + X509UtilitiesKt.toSimpleString(x509Certificate);
            }
        }, 30, (Object) null);
    }

    @NotNull
    public static final ThreadPoolExecutor sslDelegatedTaskExecutor(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "parentPoolName");
        return NodeApiUtilsKt.namedThreadPoolExecutor$default(3, 0, null, null, str + "-ssltask", false, 0, 110, null);
    }

    @NotNull
    public static final SslHandler createClientSslHandler(@NotNull NetworkHostAndPort networkHostAndPort, @NotNull Set<CordaX500Name> set, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull Executor executor) {
        Intrinsics.checkNotNullParameter(networkHostAndPort, "target");
        Intrinsics.checkNotNullParameter(set, "expectedRemoteLegalNames");
        Intrinsics.checkNotNullParameter(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkNotNullParameter(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkNotNullParameter(executor, "delegateTaskExecutor");
        SSLEngine createSSLEngine = createAndInitSslContext(keyManagerFactory, trustManagerFactory).createSSLEngine(networkHostAndPort.getHost(), networkHostAndPort.getPort());
        createSSLEngine.setUseClientMode(true);
        createSSLEngine.setEnabledProtocols((String[]) ArtemisTcpTransport.Companion.getTLS_VERSIONS().toArray(new String[0]));
        createSSLEngine.setEnabledCipherSuites((String[]) ArtemisTcpTransport.Companion.getCIPHER_SUITES().toArray(new String[0]));
        createSSLEngine.setEnableSessionCreation(true);
        if (set.size() == 1) {
            SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
            sSLParameters.setServerNames(CollectionsKt.listOf(new SNIHostName(x500toHostName((CordaX500Name) CollectionsKt.single(set)))));
            createSSLEngine.setSSLParameters(sSLParameters);
        }
        return new SslHandler(createSSLEngine, false, executor);
    }

    @NotNull
    public static final SslHandler createClientOpenSslHandler(@NotNull NetworkHostAndPort networkHostAndPort, @NotNull Set<CordaX500Name> set, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull ByteBufAllocator byteBufAllocator, @NotNull Executor executor) {
        Intrinsics.checkNotNullParameter(networkHostAndPort, "target");
        Intrinsics.checkNotNullParameter(set, "expectedRemoteLegalNames");
        Intrinsics.checkNotNullParameter(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkNotNullParameter(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkNotNullParameter(byteBufAllocator, "alloc");
        Intrinsics.checkNotNullParameter(executor, "delegateTaskExecutor");
        SSLEngine newEngine = SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL).keyManager(keyManagerFactory).trustManager(new LoggingTrustManagerFactoryWrapper(trustManagerFactory)).build().newEngine(byteBufAllocator, networkHostAndPort.getHost(), networkHostAndPort.getPort());
        newEngine.setEnabledProtocols((String[]) ArtemisTcpTransport.Companion.getTLS_VERSIONS().toArray(new String[0]));
        newEngine.setEnabledCipherSuites((String[]) ArtemisTcpTransport.Companion.getCIPHER_SUITES().toArray(new String[0]));
        if (set.size() == 1) {
            SSLParameters sSLParameters = newEngine.getSSLParameters();
            sSLParameters.setServerNames(CollectionsKt.listOf(new SNIHostName(x500toHostName((CordaX500Name) CollectionsKt.single(set)))));
            newEngine.setSSLParameters(sSLParameters);
        }
        return new SslHandler(newEngine, false, executor);
    }

    @NotNull
    public static final SslHandler createServerSslHandler(@NotNull CertificateStore certificateStore, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull Executor executor) {
        Intrinsics.checkNotNullParameter(certificateStore, "keyStore");
        Intrinsics.checkNotNullParameter(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkNotNullParameter(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkNotNullParameter(executor, "delegateTaskExecutor");
        SSLEngine createSSLEngine = createAndInitSslContext(keyManagerFactory, trustManagerFactory).createSSLEngine();
        createSSLEngine.setUseClientMode(false);
        createSSLEngine.setNeedClientAuth(true);
        createSSLEngine.setEnabledProtocols((String[]) ArtemisTcpTransport.Companion.getTLS_VERSIONS().toArray(new String[0]));
        createSSLEngine.setEnabledCipherSuites((String[]) ArtemisTcpTransport.Companion.getCIPHER_SUITES().toArray(new String[0]));
        createSSLEngine.setEnableSessionCreation(true);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        sSLParameters.setSNIMatchers(CollectionsKt.listOf(new ServerSNIMatcher(certificateStore)));
        createSSLEngine.setSSLParameters(sSLParameters);
        return new SslHandler(createSSLEngine, false, executor);
    }

    @NotNull
    public static final SslHandler createServerOpenSslHandler(@NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull ByteBufAllocator byteBufAllocator, @NotNull Executor executor) {
        Intrinsics.checkNotNullParameter(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkNotNullParameter(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkNotNullParameter(byteBufAllocator, "alloc");
        Intrinsics.checkNotNullParameter(executor, "delegateTaskExecutor");
        SSLEngine newEngine = getServerSslContextBuilder(keyManagerFactory, trustManagerFactory).build().newEngine(byteBufAllocator);
        newEngine.setUseClientMode(false);
        return new SslHandler(newEngine, false, executor);
    }

    @NotNull
    public static final SSLContext createAndInitSslContext(@NotNull KeyManagerFactory keyManagerFactory, @Nullable TrustManagerFactory trustManagerFactory) {
        TrustManager[] trustManagerArr;
        TrustManager[] trustManagers;
        Intrinsics.checkNotNullParameter(keyManagerFactory, "keyManagerFactory");
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        if (trustManagerFactory == null || (trustManagers = trustManagerFactory.getTrustManagers()) == null) {
            trustManagerArr = null;
        } else {
            ArrayList arrayList = new ArrayList(trustManagers.length);
            for (TrustManager trustManager : trustManagers) {
                arrayList.add(trustManager instanceof X509ExtendedTrustManager ? new LoggingTrustManagerWrapper((X509ExtendedTrustManager) trustManager) : trustManager);
            }
            trustManagerArr = (TrustManager[]) arrayList.toArray(new TrustManager[0]);
        }
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerArr, CryptoUtils.newSecureRandom());
        Intrinsics.checkNotNull(sSLContext);
        return sSLContext;
    }

    @NotNull
    public static final SniHandler createServerSNIOpenSniHandler(@NotNull Map<String, ? extends KeyManagerFactory> map, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkNotNullParameter(map, "keyManagerFactoriesMap");
        Intrinsics.checkNotNullParameter(trustManagerFactory, "trustManagerFactory");
        SslContextBuilder serverSslContextBuilder = getServerSslContextBuilder((KeyManagerFactory) CollectionsKt.first(map.values()), trustManagerFactory);
        DomainWildcardMappingBuilder domainWildcardMappingBuilder = new DomainWildcardMappingBuilder(serverSslContextBuilder.build());
        for (Map.Entry<String, ? extends KeyManagerFactory> entry : map.entrySet()) {
            domainWildcardMappingBuilder.add(entry.getKey(), serverSslContextBuilder.keyManager(entry.getValue()).build());
        }
        return new SniHandler(domainWildcardMappingBuilder.build());
    }

    private static final SslContextBuilder getServerSslContextBuilder(KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory) {
        SslContextBuilder protocols = SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.OPENSSL).trustManager(new LoggingTrustManagerFactoryWrapper(trustManagerFactory)).clientAuth(ClientAuth.REQUIRE).ciphers(ArtemisTcpTransport.Companion.getCIPHER_SUITES()).protocols(ArtemisTcpTransport.Companion.getTLS_VERSIONS());
        Intrinsics.checkNotNullExpressionValue(protocols, "protocols(...)");
        return protocols;
    }

    @NotNull
    public static final Map<String, CertHoldingKeyManagerFactoryWrapper> splitKeystore(@NotNull AMQPConfiguration aMQPConfiguration) {
        Intrinsics.checkNotNullParameter(aMQPConfiguration, "config");
        KeyStore internal = aMQPConfiguration.getKeyStore().getValue().getInternal();
        char[] charArray = aMQPConfiguration.getKeyStore().getEntryPassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray, "toCharArray(...)");
        Enumeration<String> aliases = internal.aliases();
        Intrinsics.checkNotNullExpressionValue(aliases, "aliases(...)");
        ArrayList list = Collections.list(aliases);
        Intrinsics.checkNotNullExpressionValue(list, "list(...)");
        ArrayList<String> arrayList = list;
        LinkedHashMap linkedHashMap = new LinkedHashMap(RangesKt.coerceAtLeast(MapsKt.mapCapacity(CollectionsKt.collectionSizeOrDefault(arrayList, 10)), 16));
        for (String str : arrayList) {
            Key key = internal.getKey(str, charArray);
            Certificate[] certificateChain = internal.getCertificateChain(str);
            Certificate certificate = internal.getCertificate(str);
            Intrinsics.checkNotNullExpressionValue(certificate, "getCertificate(...)");
            X500Principal subjectX500Principal = X509UtilitiesKt.getX509(certificate).getSubjectX500Principal();
            CordaX500Name.Companion companion = CordaX500Name.Companion;
            Intrinsics.checkNotNull(subjectX500Principal);
            CordaX500Name build = companion.build(subjectX500Principal);
            KeyStore keyStore = KeyStore.getInstance(KeyStoreUtilities.KEYSTORE_TYPE);
            keyStore.load(null);
            keyStore.setKeyEntry(str, key, charArray, certificateChain);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, charArray);
            String x500toHostName = x500toHostName(build);
            Intrinsics.checkNotNull(keyManagerFactory);
            Pair pair = TuplesKt.to(x500toHostName, new CertHoldingKeyManagerFactoryWrapper(keyManagerFactory, aMQPConfiguration));
            linkedHashMap.put(pair.getFirst(), pair.getSecond());
        }
        return linkedHashMap;
    }

    public static final void init(@NotNull KeyManagerFactory keyManagerFactory, @NotNull CertificateStore certificateStore) {
        Intrinsics.checkNotNullParameter(keyManagerFactory, "<this>");
        Intrinsics.checkNotNullParameter(certificateStore, "keyStore");
        KeyStore internal = certificateStore.getValue().getInternal();
        char[] charArray = certificateStore.getEntryPassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray, "toCharArray(...)");
        keyManagerFactory.init(internal, charArray);
    }

    @NotNull
    public static final KeyManagerFactory keyManagerFactory(@NotNull CertificateStore certificateStore) {
        Intrinsics.checkNotNullParameter(certificateStore, "keyStore");
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        Intrinsics.checkNotNull(keyManagerFactory);
        init(keyManagerFactory, certificateStore);
        return keyManagerFactory;
    }

    @NotNull
    public static final TrustManagerFactory trustManagerFactory(@NotNull CertificateStore certificateStore) {
        Intrinsics.checkNotNullParameter(certificateStore, "trustStore");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(certificateStore.getValue().getInternal());
        Intrinsics.checkNotNull(trustManagerFactory);
        return trustManagerFactory;
    }

    @NotNull
    public static final TrustManagerFactory trustManagerFactoryWithRevocation(@NotNull CertificateStore certificateStore, @NotNull RevocationConfig revocationConfig, @NotNull CrlSource crlSource) {
        CordaRevocationChecker cordaRevocationChecker;
        Intrinsics.checkNotNullParameter(certificateStore, "trustStore");
        Intrinsics.checkNotNullParameter(revocationConfig, "revocationConfig");
        Intrinsics.checkNotNullParameter(crlSource, "crlSource");
        switch (WhenMappings.$EnumSwitchMapping$0[revocationConfig.getMode().ordinal()]) {
            case 1:
                cordaRevocationChecker = AllowAllRevocationChecker.INSTANCE;
                break;
            case 2:
                CrlSource externalCrlSource = revocationConfig.getExternalCrlSource();
                if (externalCrlSource != null) {
                    cordaRevocationChecker = new CordaRevocationChecker(externalCrlSource, true, null, 4, null);
                    break;
                } else {
                    throw new IllegalArgumentException("externalCrlSource must be specfied for EXTERNAL_SOURCE".toString());
                }
            case 3:
                cordaRevocationChecker = new CordaRevocationChecker(crlSource, true, null, 4, null);
                break;
            case 4:
                cordaRevocationChecker = new CordaRevocationChecker(crlSource, false, null, 4, null);
                break;
            default:
                throw new NoWhenBranchMatchedException();
        }
        PKIXCertPathChecker pKIXCertPathChecker = cordaRevocationChecker;
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(certificateStore.getValue().getInternal(), new X509CertSelector());
        pKIXBuilderParameters.addCertPathChecker(pKIXCertPathChecker);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        Intrinsics.checkNotNull(trustManagerFactory);
        return trustManagerFactory;
    }

    @NotNull
    public static final String x500toHostName(@NotNull CordaX500Name cordaX500Name) {
        Intrinsics.checkNotNullParameter(cordaX500Name, "x500Name");
        SecureHash.SHA256 sha256 = SecureHash.Companion.sha256(cordaX500Name.toString());
        StringCompanionObject stringCompanionObject = StringCompanionObject.INSTANCE;
        String take = StringsKt.take(sha256.toString(), 32);
        Locale locale = Locale.getDefault();
        Intrinsics.checkNotNullExpressionValue(locale, "getDefault(...)");
        String lowerCase = take.toLowerCase(locale);
        Intrinsics.checkNotNullExpressionValue(lowerCase, "toLowerCase(...)");
        Object[] objArr = {lowerCase};
        String format = String.format(HOSTNAME_FORMAT, Arrays.copyOf(objArr, objArr.length));
        Intrinsics.checkNotNullExpressionValue(format, "format(...)");
        return format;
    }
}
