package net.corda.node.services.keys;

import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.time.Duration;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.jvm.internal.Intrinsics;
import net.corda.core.crypto.Crypto;
import net.corda.core.crypto.SignatureScheme;
import net.corda.core.identity.PartyAndCertificate;
import net.corda.core.internal.CertRole;
import net.corda.core.node.services.IdentityService;
import net.corda.core.utilities.KotlinUtilsKt;
import net.corda.node.services.api.IdentityServiceInternal;
import net.corda.nodeapi.internal.crypto.CertificateType;
import net.corda.nodeapi.internal.crypto.ContentSignerBuilder;
import net.corda.nodeapi.internal.crypto.X509Utilities;
import net.corda.nodeapi.internal.crypto.X509UtilitiesKt;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.operator.ContentSigner;
import org.jetbrains.annotations.NotNull;

/* compiled from: KMSUtils.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 2, d1 = {"��$\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\u001a&\u0010��\u001a\u00020\u00012\u0006\u0010\u0002\u001a\u00020\u00032\u0006\u0010\u0004\u001a\u00020\u00052\u0006\u0010\u0006\u001a\u00020\u00012\u0006\u0010\u0007\u001a\u00020\b\u001a\u000e\u0010\t\u001a\u00020\b2\u0006\u0010\n\u001a\u00020\u000b¨\u0006\f"}, d2 = {"freshCertificate", "Lnet/corda/core/identity/PartyAndCertificate;", "identityService", "Lnet/corda/core/node/services/IdentityService;", "subjectPublicKey", "Ljava/security/PublicKey;", "issuer", "issuerSigner", "Lorg/bouncycastle/operator/ContentSigner;", "getSigner", "issuerKeyPair", "Ljava/security/KeyPair;", "node"})
/* loaded from: input_file:net/corda/node/services/keys/KMSUtilsKt.class */
public final class KMSUtilsKt {
    @NotNull
    public static final PartyAndCertificate freshCertificate(@NotNull IdentityService identityService, @NotNull PublicKey publicKey, @NotNull PartyAndCertificate partyAndCertificate, @NotNull ContentSigner contentSigner) {
        Intrinsics.checkParameterIsNotNull(identityService, "identityService");
        Intrinsics.checkParameterIsNotNull(publicKey, "subjectPublicKey");
        Intrinsics.checkParameterIsNotNull(partyAndCertificate, "issuer");
        Intrinsics.checkParameterIsNotNull(contentSigner, "issuerSigner");
        CertRole extract = CertRole.Companion.extract(partyAndCertificate.getCertificate());
        if (!(extract == CertRole.LEGAL_IDENTITY)) {
            throw new IllegalArgumentException(("Confidential identities can only be issued from well known identities, provided issuer " + partyAndCertificate.getName() + " has role " + extract).toString());
        }
        X509Certificate certificate = partyAndCertificate.getCertificate();
        X509Utilities x509Utilities = X509Utilities.INSTANCE;
        Duration duration = Duration.ZERO;
        Intrinsics.checkExpressionValueIsNotNull(duration, "Duration.ZERO");
        Pair certificateValidityWindow = x509Utilities.getCertificateValidityWindow(duration, KotlinUtilsKt.getDays(3650), certificate);
        X509Utilities x509Utilities2 = X509Utilities.INSTANCE;
        CertificateType certificateType = CertificateType.CONFIDENTIAL_LEGAL_IDENTITY;
        X500Principal subjectX500Principal = certificate.getSubjectX500Principal();
        Intrinsics.checkExpressionValueIsNotNull(subjectX500Principal, "issuerCert.subjectX500Principal");
        PublicKey publicKey2 = certificate.getPublicKey();
        Intrinsics.checkExpressionValueIsNotNull(publicKey2, "issuerCert.publicKey");
        PartyAndCertificate partyAndCertificate2 = new PartyAndCertificate(X509Utilities.INSTANCE.buildCertPath(X509Utilities.createCertificate$default(x509Utilities2, certificateType, subjectX500Principal, publicKey2, contentSigner, partyAndCertificate.getName().getX500Principal(), publicKey, certificateValidityWindow, (NameConstraints) null, (String) null, (X500Name) null, 896, (Object) null), X509UtilitiesKt.getX509Certificates(partyAndCertificate.getCertPath())));
        if (identityService instanceof IdentityServiceInternal) {
            ((IdentityServiceInternal) identityService).verifyAndRegisterNewRandomIdentity(partyAndCertificate2);
        } else {
            identityService.verifyAndRegisterIdentity(partyAndCertificate2);
        }
        return partyAndCertificate2;
    }

    @NotNull
    public static final ContentSigner getSigner(@NotNull KeyPair keyPair) {
        Intrinsics.checkParameterIsNotNull(keyPair, "issuerKeyPair");
        PrivateKey privateKey = keyPair.getPrivate();
        Intrinsics.checkExpressionValueIsNotNull(privateKey, "issuerKeyPair.private");
        SignatureScheme findSignatureScheme = Crypto.findSignatureScheme(privateKey);
        Provider provider = Security.getProvider(findSignatureScheme.getProviderName());
        ContentSignerBuilder contentSignerBuilder = ContentSignerBuilder.INSTANCE;
        PrivateKey privateKey2 = keyPair.getPrivate();
        Intrinsics.checkExpressionValueIsNotNull(privateKey2, "issuerKeyPair.private");
        Intrinsics.checkExpressionValueIsNotNull(provider, "provider");
        return ContentSignerBuilder.build$default(contentSignerBuilder, findSignatureScheme, privateKey2, provider, (SecureRandom) null, false, 24, (Object) null);
    }
}
