package net.corda.nodeapi.internal.cryptoservice.bouncycastle;

import java.nio.file.Path;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.security.auth.x500.X500Principal;
import kotlin.Lazy;
import kotlin.LazyKt;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Pair;
import kotlin.TypeCastException;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.PropertyReference1Impl;
import kotlin.jvm.internal.Reflection;
import kotlin.reflect.KProperty;
import net.corda.core.crypto.Crypto;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHashKt;
import net.corda.core.crypto.SignatureScheme;
import net.corda.core.crypto.internal.Instances;
import net.corda.core.crypto.internal.ProviderMapKt;
import net.corda.core.utilities.KotlinUtilsKt;
import net.corda.nodeapi.internal.config.CertificateStore;
import net.corda.nodeapi.internal.config.CertificateStoreSupplier;
import net.corda.nodeapi.internal.crypto.ContentSignerBuilder;
import net.corda.nodeapi.internal.crypto.KeyStoreUtilities;
import net.corda.nodeapi.internal.crypto.X509KeyStore;
import net.corda.nodeapi.internal.crypto.X509Utilities;
import net.corda.nodeapi.internal.cryptoservice.CryptoService;
import net.corda.nodeapi.internal.cryptoservice.CryptoServiceException;
import net.corda.nodeapi.internal.cryptoservice.WrappedPrivateKey;
import net.corda.nodeapi.internal.cryptoservice.WrappingMode;
import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
import org.bouncycastle.operator.ContentSigner;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;

/* compiled from: BCCryptoService.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 1, d1 = {"��\u0084\u0001\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u000b\n��\n\u0002\u0010\u000e\n��\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0002\b\u0007\u0018�� :2\u00020\u0001:\u0001:B!\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\n\b\u0002\u0010\u0006\u001a\u0004\u0018\u00010\u0007¢\u0006\u0002\u0010\bJ\u0010\u0010\u0015\u001a\u00020\u00162\u0006\u0010\u0017\u001a\u00020\u0018H\u0016J\u0018\u0010\u0019\u001a\u00020\u001a2\u0006\u0010\u0017\u001a\u00020\u00182\u0006\u0010\u001b\u001a\u00020\u0016H\u0016J\b\u0010\u001c\u001a\u00020\u001dH\u0016J\b\u0010\u001e\u001a\u00020\u001dH\u0016J\u0018\u0010\u001f\u001a\u00020 2\u0006\u0010\u0017\u001a\u00020\u00182\u0006\u0010!\u001a\u00020\u001dH\u0016J$\u0010\"\u001a\u000e\u0012\u0004\u0012\u00020 \u0012\u0004\u0012\u00020$0#2\u0006\u0010%\u001a\u00020\u00182\u0006\u0010&\u001a\u00020\u001dH\u0016J\u0010\u0010'\u001a\u00020 2\u0006\u0010\u0017\u001a\u00020\u0018H\u0016J\u0010\u0010(\u001a\u00020)2\u0006\u0010\u0017\u001a\u00020\u0018H\u0016J\n\u0010*\u001a\u0004\u0018\u00010+H\u0016J\u0016\u0010,\u001a\u00020\u001a2\u0006\u0010\u0017\u001a\u00020\u00182\u0006\u0010-\u001a\u00020.J\u0010\u0010/\u001a\u00020\u00182\u0006\u0010!\u001a\u00020\u001dH\u0002J\u0010\u00100\u001a\u0002012\u0006\u0010!\u001a\u00020\u001dH\u0002J\u0006\u00102\u001a\u00020\u001aJ\"\u00103\u001a\u0002042\u0006\u0010\u0017\u001a\u00020\u00182\u0006\u00105\u001a\u0002042\b\u00106\u001a\u0004\u0018\u00010\u0018H\u0016J \u00103\u001a\u0002042\u0006\u0010%\u001a\u00020\u00182\u0006\u00107\u001a\u00020$2\u0006\u00108\u001a\u000204H\u0016J \u00109\u001a\u0002042\u0006\u0010\u0017\u001a\u00020\u00182\u0006\u00105\u001a\u0002042\u0006\u00106\u001a\u00020\u0018H\u0002R\u001a\u0010\t\u001a\u00020\nX\u0086\u000e¢\u0006\u000e\n��\u001a\u0004\b\u000b\u0010\f\"\u0004\b\r\u0010\u000eR\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u001b\u0010\u000f\u001a\u00020\u00108BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\u0013\u0010\u0014\u001a\u0004\b\u0011\u0010\u0012R\u0010\u0010\u0006\u001a\u0004\u0018\u00010\u0007X\u0082\u0004¢\u0006\u0002\n��¨\u0006;"}, d2 = {"Lnet/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService;", "Lnet/corda/nodeapi/internal/cryptoservice/CryptoService;", "legalName", "Ljavax/security/auth/x500/X500Principal;", "certificateStoreSupplier", "Lnet/corda/nodeapi/internal/config/CertificateStoreSupplier;", "wrappingKeyStorePath", "Ljava/nio/file/Path;", "(Ljavax/security/auth/x500/X500Principal;Lnet/corda/nodeapi/internal/config/CertificateStoreSupplier;Ljava/nio/file/Path;)V", "certificateStore", "Lnet/corda/nodeapi/internal/config/CertificateStore;", "getCertificateStore", "()Lnet/corda/nodeapi/internal/config/CertificateStore;", "setCertificateStore", "(Lnet/corda/nodeapi/internal/config/CertificateStore;)V", "wrappingKeyStore", "Ljava/security/KeyStore;", "getWrappingKeyStore", "()Ljava/security/KeyStore;", "wrappingKeyStore$delegate", "Lkotlin/Lazy;", "containsKey", "", "alias", "", "createWrappingKey", "", "failIfExists", "defaultIdentitySignatureScheme", "Lnet/corda/core/crypto/SignatureScheme;", "defaultTLSSignatureScheme", "generateKeyPair", "Ljava/security/PublicKey;", TransportConstants.SCHEME_PROP_NAME, "generateWrappedKeyPair", "Lkotlin/Pair;", "Lnet/corda/nodeapi/internal/cryptoservice/WrappedPrivateKey;", "masterKeyAlias", "childKeyScheme", "getPublicKey", "getSigner", "Lorg/bouncycastle/operator/ContentSigner;", "getWrappingMode", "Lnet/corda/nodeapi/internal/cryptoservice/WrappingMode;", "importKey", "keyPair", "Ljava/security/KeyPair;", "keyAlgorithmFromScheme", "keyPairGeneratorFromScheme", "Ljava/security/KeyPairGenerator;", "resyncKeystore", "sign", "", "data", "signAlgorithm", "wrappedPrivateKey", "payloadToSign", "signWithAlgorithm", "Companion", "node-api"})
/* loaded from: input_file:corda-node-api-4.11.4.jar:net/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService.class */
public final class BCCryptoService implements CryptoService {

    @NotNull
    private CertificateStore certificateStore;
    private final Lazy wrappingKeyStore$delegate;
    private final X500Principal legalName;
    private final CertificateStoreSupplier certificateStoreSupplier;
    private final Path wrappingKeyStorePath;
    static final /* synthetic */ KProperty[] $$delegatedProperties = {Reflection.property1(new PropertyReference1Impl(Reflection.getOrCreateKotlinClass(BCCryptoService.class), "wrappingKeyStore", "getWrappingKeyStore()Ljava/security/KeyStore;"))};

    @Deprecated
    public static final Companion Companion = new Companion(null);

    @NotNull
    private static final Logger detailedLogger = KotlinUtilsKt.detailedLogger();

    /* compiled from: BCCryptoService.kt */
    @Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 1, d1 = {"��\u0014\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\b\u0082\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u0011\u0010\u0003\u001a\u00020\u0004¢\u0006\b\n��\u001a\u0004\b\u0005\u0010\u0006¨\u0006\u0007"}, d2 = {"Lnet/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService$Companion;", "", "()V", "detailedLogger", "Lorg/slf4j/Logger;", "getDetailedLogger", "()Lorg/slf4j/Logger;", "node-api"})
    /* loaded from: input_file:corda-node-api-4.11.4.jar:net/corda/nodeapi/internal/cryptoservice/bouncycastle/BCCryptoService$Companion.class */
    private static final class Companion {
        @NotNull
        public final Logger getDetailedLogger() {
            return BCCryptoService.detailedLogger;
        }

        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    @NotNull
    public final CertificateStore getCertificateStore() {
        return this.certificateStore;
    }

    public final void setCertificateStore(@NotNull CertificateStore certificateStore) {
        Intrinsics.checkParameterIsNotNull(certificateStore, "<set-?>");
        this.certificateStore = certificateStore;
    }

    private final KeyStore getWrappingKeyStore() {
        Lazy lazy = this.wrappingKeyStore$delegate;
        KProperty kProperty = $$delegatedProperties[0];
        return (KeyStore) lazy.getValue();
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public PublicKey generateKeyPair(@NotNull String alias, @NotNull SignatureScheme scheme) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        Intrinsics.checkParameterIsNotNull(scheme, "scheme");
        try {
            Logger logger = detailedLogger;
            if (logger.isTraceEnabled()) {
                logger.trace("CryptoService(action=generate_key_pair_start;alias=" + alias + ";scheme=" + scheme + ')');
            }
            KeyPair generateKeyPair = Crypto.generateKeyPair(scheme);
            Logger logger2 = detailedLogger;
            if (logger2.isTraceEnabled()) {
                logger2.trace("CryptoService(action=generate_key_pair_end;alias=" + alias + ";scheme=" + scheme + ')');
            }
            importKey(alias, generateKeyPair);
            PublicKey publicKey = generateKeyPair.getPublic();
            Intrinsics.checkExpressionValueIsNotNull(publicKey, "keyPair.public");
            return publicKey;
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot generate key for alias " + alias + " and signature scheme " + scheme.getSchemeCodeName() + " (id " + scheme.getSchemeNumberID() + ')', e, false, 4, null);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    public boolean containsKey(@NotNull String alias) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        return this.wrappingKeyStorePath == null ? this.certificateStore.contains(alias) : this.certificateStore.contains(alias) || getWrappingKeyStore().containsAlias(alias);
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public PublicKey getPublicKey(@NotNull final String alias) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        try {
            return (PublicKey) this.certificateStore.query(new Function1<X509KeyStore, PublicKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$getPublicKey$1
                @Override // kotlin.jvm.functions.Function1
                @NotNull
                public final PublicKey invoke(@NotNull X509KeyStore receiver) {
                    Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
                    return receiver.getPublicKey(alias);
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot get public key for alias " + alias, e, false);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public byte[] sign(@NotNull final String alias, @NotNull byte[] data, @Nullable String str) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        Intrinsics.checkParameterIsNotNull(data, "data");
        try {
            return str == null ? Crypto.doSign((PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$sign$1
                @Override // kotlin.jvm.functions.Function1
                @NotNull
                public final PrivateKey invoke(@NotNull X509KeyStore receiver) {
                    Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
                    return receiver.getPrivateKey(alias, BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            }), data) : signWithAlgorithm(alias, data, str);
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot sign using the key with alias " + alias + ". SHA256 of data to be signed: " + SecureHashKt.sha256(data), e, false, 4, null);
        }
    }

    private final byte[] signWithAlgorithm(final String str, byte[] bArr, String str2) {
        PrivateKey privateKey = (PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$signWithAlgorithm$privateKey$1
            @Override // kotlin.jvm.functions.Function1
            @NotNull
            public final PrivateKey invoke(@NotNull X509KeyStore receiver) {
                Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
                return receiver.getPrivateKey(str, BCCryptoService.this.getCertificateStore().getEntryPassword());
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(1);
            }
        });
        Signature signature = Signature.getInstance(str2, ProviderMapKt.getCordaBouncyCastleProvider());
        Logger logger = detailedLogger;
        if (logger.isTraceEnabled()) {
            logger.trace("CryptoService(action=signing_start;alias=" + str + ";algorithm=" + str2 + ')');
        }
        signature.initSign(privateKey, CryptoUtils.newSecureRandom());
        signature.update(bArr);
        Logger logger2 = detailedLogger;
        if (logger2.isTraceEnabled()) {
            logger2.trace("CryptoService(action=signing_end;alias=" + str + ";algorithm=" + str2 + ')');
        }
        byte[] sign = signature.sign();
        Intrinsics.checkExpressionValueIsNotNull(sign, "signature.sign()");
        return sign;
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public ContentSigner getSigner(@NotNull final String alias) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        try {
            Logger logger = detailedLogger;
            if (logger.isTraceEnabled()) {
                logger.trace("CryptoService(action=get_signer;alias=" + alias + ')');
            }
            PrivateKey privateKey = (PrivateKey) this.certificateStore.query(new Function1<X509KeyStore, PrivateKey>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$getSigner$privateKey$1
                @Override // kotlin.jvm.functions.Function1
                @NotNull
                public final PrivateKey invoke(@NotNull X509KeyStore receiver) {
                    Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
                    return receiver.getPrivateKey(alias, BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
            SignatureScheme findSignatureScheme = Crypto.findSignatureScheme(privateKey);
            return ContentSignerBuilder.build$default(ContentSignerBuilder.INSTANCE, findSignatureScheme, privateKey, Crypto.findProvider(findSignatureScheme.getProviderName()), CryptoUtils.newSecureRandom(), false, 16, null);
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot get Signer for key with alias " + alias, e, false, 4, null);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public SignatureScheme defaultIdentitySignatureScheme() {
        return X509Utilities.INSTANCE.getDEFAULT_IDENTITY_SIGNATURE_SCHEME();
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.SignOnlyCryptoService
    @NotNull
    public SignatureScheme defaultTLSSignatureScheme() {
        return X509Utilities.INSTANCE.getDEFAULT_TLS_SIGNATURE_SCHEME();
    }

    public final void resyncKeystore() {
        this.certificateStore = this.certificateStoreSupplier.get(true);
    }

    public final void importKey(@NotNull final String alias, @NotNull final KeyPair keyPair) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        Intrinsics.checkParameterIsNotNull(keyPair, "keyPair");
        try {
            Logger logger = detailedLogger;
            if (logger.isTraceEnabled()) {
                logger.trace("CryptoService(action=key_import;alias=" + alias + ')');
            }
            final X509Certificate createSelfSignedCACertificate$default = X509Utilities.createSelfSignedCACertificate$default(this.legalName, keyPair, null, 4, null);
            this.certificateStore.query(new Function1<X509KeyStore, Unit>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$importKey$2
                @Override // kotlin.jvm.functions.Function1
                public /* bridge */ /* synthetic */ Unit invoke(X509KeyStore x509KeyStore) {
                    invoke2(x509KeyStore);
                    return Unit.INSTANCE;
                }

                /* renamed from: invoke, reason: avoid collision after fix types in other method */
                public final void invoke2(@NotNull X509KeyStore receiver) {
                    Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
                    String str = alias;
                    PrivateKey privateKey = keyPair.getPrivate();
                    Intrinsics.checkExpressionValueIsNotNull(privateKey, "keyPair.private");
                    receiver.setPrivateKey(str, privateKey, CollectionsKt.listOf(createSelfSignedCACertificate$default), BCCryptoService.this.getCertificateStore().getEntryPassword());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }
            });
        } catch (Exception e) {
            throw new CryptoServiceException("Cannot import key with alias " + alias, e, false, 4, null);
        }
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    public synchronized void createWrappingKey(@NotNull String alias, boolean z) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        if (getWrappingKeyStore().containsAlias(alias)) {
            if (z) {
                throw new IllegalArgumentException("There is an existing key with the alias: " + alias);
            }
            if (z) {
                throw new NoWhenBranchMatchedException();
            }
            return;
        }
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
        keyGenerator.init(wrappingKeySize());
        SecretKey generateKey = keyGenerator.generateKey();
        KeyStore wrappingKeyStore = getWrappingKeyStore();
        KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(generateKey);
        String entryPassword = this.certificateStore.getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        wrappingKeyStore.setEntry(alias, secretKeyEntry, new KeyStore.PasswordProtection(charArray));
        KeyStore wrappingKeyStore2 = getWrappingKeyStore();
        Path path = this.wrappingKeyStorePath;
        if (path == null) {
            Intrinsics.throwNpe();
        }
        KeyStoreUtilities.save(wrappingKeyStore2, path, this.certificateStore.getPassword());
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public Pair<PublicKey, WrappedPrivateKey> generateWrappedKeyPair(@NotNull String masterKeyAlias, @NotNull SignatureScheme childKeyScheme) {
        Intrinsics.checkParameterIsNotNull(masterKeyAlias, "masterKeyAlias");
        Intrinsics.checkParameterIsNotNull(childKeyScheme, "childKeyScheme");
        if (!getWrappingKeyStore().containsAlias(masterKeyAlias)) {
            throw new IllegalStateException("There is no master key under the alias: " + masterKeyAlias);
        }
        KeyStore wrappingKeyStore = getWrappingKeyStore();
        String entryPassword = this.certificateStore.getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        Key key = wrappingKeyStore.getKey(masterKeyAlias, charArray);
        Cipher cipher = Cipher.getInstance("AESWRAPPAD", ProviderMapKt.getCordaBouncyCastleProvider());
        cipher.init(3, key);
        KeyPair keyPair = keyPairGeneratorFromScheme(childKeyScheme).generateKeyPair();
        Intrinsics.checkExpressionValueIsNotNull(keyPair, "keyPair");
        byte[] privateKeyMaterialWrapped = cipher.wrap(keyPair.getPrivate());
        PublicKey publicKey = keyPair.getPublic();
        Intrinsics.checkExpressionValueIsNotNull(privateKeyMaterialWrapped, "privateKeyMaterialWrapped");
        return new Pair<>(publicKey, new WrappedPrivateKey(privateKeyMaterialWrapped, childKeyScheme, 1));
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public byte[] sign(@NotNull String masterKeyAlias, @NotNull WrappedPrivateKey wrappedPrivateKey, @NotNull byte[] payloadToSign) {
        Intrinsics.checkParameterIsNotNull(masterKeyAlias, "masterKeyAlias");
        Intrinsics.checkParameterIsNotNull(wrappedPrivateKey, "wrappedPrivateKey");
        Intrinsics.checkParameterIsNotNull(payloadToSign, "payloadToSign");
        if (!getWrappingKeyStore().containsAlias(masterKeyAlias)) {
            throw new IllegalStateException("There is no master key under the alias: " + masterKeyAlias);
        }
        KeyStore wrappingKeyStore = getWrappingKeyStore();
        String entryPassword = this.certificateStore.getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        Key key = wrappingKeyStore.getKey(masterKeyAlias, charArray);
        Integer encodingVersion = wrappedPrivateKey.getEncodingVersion();
        Cipher cipher = Cipher.getInstance((encodingVersion != null && encodingVersion.intValue() == 1) ? "AESWRAPPAD" : "AES", ProviderMapKt.getCordaBouncyCastleProvider());
        cipher.init(4, key);
        Key unwrap = cipher.unwrap(wrappedPrivateKey.getKeyMaterial(), keyAlgorithmFromScheme(wrappedPrivateKey.getSignatureScheme()), 2);
        if (unwrap == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.security.PrivateKey");
        }
        PrivateKey privateKey = (PrivateKey) unwrap;
        Signature signatureInstance = Instances.INSTANCE.getSignatureInstance(wrappedPrivateKey.getSignatureScheme().getSignatureName(), ProviderMapKt.getCordaBouncyCastleProvider());
        signatureInstance.initSign(privateKey, CryptoUtils.newSecureRandom());
        signatureInstance.update(payloadToSign);
        byte[] sign = signatureInstance.sign();
        Intrinsics.checkExpressionValueIsNotNull(sign, "signature.sign()");
        return sign;
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @Nullable
    public WrappingMode getWrappingMode() {
        return WrappingMode.DEGRADED_WRAPPED;
    }

    private final KeyPairGenerator keyPairGeneratorFromScheme(SignatureScheme signatureScheme) {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAlgorithmFromScheme(signatureScheme), ProviderMapKt.getCordaBouncyCastleProvider());
        if (Intrinsics.areEqual(signatureScheme, Crypto.ECDSA_SECP256R1_SHA256)) {
            keyPairGenerator.initialize(new ECGenParameterSpec("secp256r1"));
        } else if (Intrinsics.areEqual(signatureScheme, Crypto.ECDSA_SECP256K1_SHA256)) {
            keyPairGenerator.initialize(new ECGenParameterSpec("secp256k1"));
        } else {
            if (!Intrinsics.areEqual(signatureScheme, Crypto.RSA_SHA256)) {
                throw new IllegalArgumentException("No mapping for scheme ID " + signatureScheme.getSchemeNumberID());
            }
            Integer keySize = signatureScheme.getKeySize();
            if (keySize == null) {
                Intrinsics.throwNpe();
            }
            keyPairGenerator.initialize(keySize.intValue());
        }
        Intrinsics.checkExpressionValueIsNotNull(keyPairGenerator, "keyPairGenerator");
        return keyPairGenerator;
    }

    private final String keyAlgorithmFromScheme(SignatureScheme signatureScheme) {
        if (Intrinsics.areEqual(signatureScheme, Crypto.ECDSA_SECP256R1_SHA256) || Intrinsics.areEqual(signatureScheme, Crypto.ECDSA_SECP256K1_SHA256)) {
            return "EC";
        }
        if (Intrinsics.areEqual(signatureScheme, Crypto.RSA_SHA256)) {
            return "RSA";
        }
        throw new IllegalArgumentException("No algorithm for scheme ID " + signatureScheme.getSchemeNumberID());
    }

    public BCCryptoService(@NotNull X500Principal legalName, @NotNull CertificateStoreSupplier certificateStoreSupplier, @Nullable Path path) {
        Intrinsics.checkParameterIsNotNull(legalName, "legalName");
        Intrinsics.checkParameterIsNotNull(certificateStoreSupplier, "certificateStoreSupplier");
        this.legalName = legalName;
        this.certificateStoreSupplier = certificateStoreSupplier;
        this.wrappingKeyStorePath = path;
        this.certificateStore = this.certificateStoreSupplier.get(true);
        this.wrappingKeyStore$delegate = LazyKt.lazy(new Function0<KeyStore>() { // from class: net.corda.nodeapi.internal.cryptoservice.bouncycastle.BCCryptoService$wrappingKeyStore$2
            @Override // kotlin.jvm.functions.Function0
            @NotNull
            public final KeyStore invoke() {
                Path path2;
                path2 = BCCryptoService.this.wrappingKeyStorePath;
                if (path2 == null) {
                    Intrinsics.throwNpe();
                }
                return KeyStoreUtilities.loadOrCreateKeyStore$default(path2, BCCryptoService.this.getCertificateStore().getPassword(), "PKCS12", null, 8, null);
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }
        });
    }

    public /* synthetic */ BCCryptoService(X500Principal x500Principal, CertificateStoreSupplier certificateStoreSupplier, Path path, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(x500Principal, certificateStoreSupplier, (i & 4) != 0 ? (Path) null : path);
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    public int wrappingKeySize() {
        return CryptoService.DefaultImpls.wrappingKeySize(this);
    }

    @Override // net.corda.nodeapi.internal.cryptoservice.CryptoService
    @NotNull
    public SignatureScheme defaultWrappingSignatureScheme() {
        return CryptoService.DefaultImpls.defaultWrappingSignatureScheme(this);
    }
}
