package net.corda.nodeapi.internal.crypto;

import java.io.BufferedReader;
import java.math.BigInteger;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Unit;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.JvmStatic;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Regex;
import net.corda.core.CordaOID;
import net.corda.core.crypto.Crypto;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SignatureScheme;
import net.corda.core.internal.CertRole;
import net.corda.core.internal.InternalUtils;
import net.corda.core.internal.PathUtilsKt;
import net.corda.core.utilities.KotlinUtilsKt;
import org.apache.commons.text.lookup.StringLookupFactory;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.NameConstraints;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.hibernate.cfg.Ejb3DiscriminatorColumn;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: X509Utilities.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 1, d1 = {"��Ê\u0001\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\b\n��\n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\t\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010 \n��\n\u0002\u0010\u0011\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\"\n\u0002\b\u0004\bÆ\u0002\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J$\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u001e2\b\u0010\u001f\u001a\u0004\u0018\u00010\u00062\b\u0010 \u001a\u0004\u0018\u00010!H\u0002J\u001c\u0010\"\u001a\u00020#2\u0006\u0010$\u001a\u00020%2\f\u0010&\u001a\b\u0012\u0004\u0012\u00020%0'J\u001f\u0010\"\u001a\u00020#2\u0012\u0010(\u001a\n\u0012\u0006\b\u0001\u0012\u00020%0)\"\u00020%¢\u0006\u0002\u0010*J\u0014\u0010\"\u001a\u00020#2\f\u0010(\u001a\b\u0012\u0004\u0012\u00020%0'Jj\u0010+\u001a\u00020%2\u0006\u0010,\u001a\u00020-2\u0006\u0010.\u001a\u00020%2\u0006\u0010/\u001a\u0002002\u0006\u00101\u001a\u0002022\u0006\u00103\u001a\u0002042\u0014\b\u0002\u00105\u001a\u000e\u0012\u0004\u0012\u00020\u0012\u0012\u0004\u0012\u00020\u00120\u00112\n\b\u0002\u00106\u001a\u0004\u0018\u0001072\n\b\u0002\u0010\u001f\u001a\u0004\u0018\u00010\u00062\n\b\u0002\u0010 \u001a\u0004\u0018\u00010!H\u0007Jf\u0010+\u001a\u00020%2\u0006\u0010,\u001a\u00020-2\u0006\u00108\u001a\u0002022\u0006\u0010/\u001a\u0002002\u0006\u00101\u001a\u0002022\u0006\u00103\u001a\u0002042\u0012\u00105\u001a\u000e\u0012\u0004\u0012\u000209\u0012\u0004\u0012\u0002090\u00112\n\b\u0002\u00106\u001a\u0004\u0018\u0001072\n\b\u0002\u0010\u001f\u001a\u0004\u0018\u00010\u00062\n\b\u0002\u0010 \u001a\u0004\u0018\u00010!Jn\u0010+\u001a\u00020%2\u0006\u0010,\u001a\u00020-2\u0006\u00108\u001a\u0002022\u0006\u0010:\u001a\u0002042\u0006\u0010;\u001a\u00020<2\u0006\u00101\u001a\u0002022\u0006\u00103\u001a\u0002042\u0012\u00105\u001a\u000e\u0012\u0004\u0012\u000209\u0012\u0004\u0012\u0002090\u00112\n\b\u0002\u00106\u001a\u0004\u0018\u0001072\n\b\u0002\u0010\u001f\u001a\u0004\u0018\u00010\u00062\n\b\u0002\u0010 \u001a\u0004\u0018\u00010!J(\u0010=\u001a\u00020>2\u0006\u00101\u001a\u0002022\u0006\u0010?\u001a\u00020\u00062\u0006\u0010@\u001a\u0002002\b\b\u0002\u0010A\u001a\u00020BJ0\u0010=\u001a\u00020>2\u0006\u00101\u001a\u0002022\u0006\u0010?\u001a\u00020\u00062\u0006\u0010C\u001a\u0002042\u0006\u0010D\u001a\u00020<2\b\b\u0002\u0010A\u001a\u00020BJf\u0010E\u001a\u00020\u001e2\u0006\u0010,\u001a\u00020-2\u0006\u00108\u001a\u0002022\u0006\u0010:\u001a\u0002042\u0006\u00101\u001a\u0002022\u0006\u00103\u001a\u0002042\u0012\u00105\u001a\u000e\u0012\u0004\u0012\u000209\u0012\u0004\u0012\u0002090\u00112\n\b\u0002\u00106\u001a\u0004\u0018\u0001072\n\b\u0002\u0010\u001f\u001a\u0004\u0018\u00010\u00062\n\b\u0002\u0010 \u001a\u0004\u0018\u00010!J.\u0010F\u001a\u00020%2\u0006\u00101\u001a\u0002022\u0006\u0010@\u001a\u0002002\u0014\b\u0002\u00105\u001a\u000e\u0012\u0004\u0012\u00020\u0012\u0012\u0004\u0012\u00020\u00120\u0011H\u0007J\b\u0010G\u001a\u00020HH\u0002J.\u0010I\u001a\u000e\u0012\u0004\u0012\u000209\u0012\u0004\u0012\u0002090\u00112\u0006\u0010J\u001a\u00020\u00122\u0006\u0010K\u001a\u00020\u00122\n\b\u0002\u0010L\u001a\u0004\u0018\u00010%J\u000e\u0010M\u001a\u00020\u00062\u0006\u0010N\u001a\u00020\u0006J\u000e\u0010O\u001a\u00020P2\u0006\u0010N\u001a\u00020\u0006J\u0010\u0010Q\u001a\u00020%2\u0006\u0010R\u001a\u00020SH\u0007J\u001a\u0010T\u001a\u0002092\u0006\u0010$\u001a\u00020U2\b\u0010V\u001a\u0004\u0018\u000109H\u0002J\u001a\u0010W\u001a\u0002092\u0006\u0010$\u001a\u00020U2\b\u0010V\u001a\u0004\u0018\u000109H\u0002J\u0018\u0010X\u001a\u00020\u001c2\u0006\u0010Y\u001a\u00020%2\u0006\u0010R\u001a\u00020SH\u0007J\u0018\u0010Z\u001a\u00020[2\u0006\u0010\\\u001a\u00020\u00062\b\b\u0002\u0010]\u001a\u00020\u0004J\u001c\u0010^\u001a\u00020\u001c2\f\u0010_\u001a\b\u0012\u0004\u0012\u00020%0`2\u0006\u0010a\u001a\u00020#J-\u0010b\u001a\u00020\u001c2\f\u0010_\u001a\b\u0012\u0004\u0012\u00020%0`2\u0012\u0010(\u001a\n\u0012\u0006\b\u0001\u0012\u00020%0)\"\u00020%¢\u0006\u0002\u0010cJ\"\u0010b\u001a\u00020\u001c2\f\u0010_\u001a\b\u0012\u0004\u0012\u00020%0`2\f\u0010(\u001a\b\u0012\u0004\u0012\u00020%0'R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\u0007\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\b\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\t\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u0011\u0010\n\u001a\u00020\u000b¢\u0006\b\n��\u001a\u0004\b\f\u0010\rR\u0011\u0010\u000e\u001a\u00020\u000b¢\u0006\b\n��\u001a\u0004\b\u000f\u0010\rR\u001d\u0010\u0010\u001a\u000e\u0012\u0004\u0012\u00020\u0012\u0012\u0004\u0012\u00020\u00120\u0011¢\u0006\b\n��\u001a\u0004\b\u0013\u0010\u0014R\u000e\u0010\u0015\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\u0016\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\u0017\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0018\u001a\u00020\u0006X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0019\u001a\u00020\u0006X\u0086T¢\u0006\u0002\n��R\u000e\u0010\u001a\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n��¨\u0006d"}, d2 = {"Lnet/corda/nodeapi/internal/crypto/X509Utilities;", "", "()V", "CERTIFICATE_SERIAL_NUMBER_LENGTH", "", "CORDA_CLIENT_CA", "", "CORDA_CLIENT_TLS", "CORDA_INTERMEDIATE_CA", "CORDA_ROOT_CA", "DEFAULT_IDENTITY_SIGNATURE_SCHEME", "Lnet/corda/core/crypto/SignatureScheme;", "getDEFAULT_IDENTITY_SIGNATURE_SCHEME", "()Lnet/corda/core/crypto/SignatureScheme;", "DEFAULT_TLS_SIGNATURE_SCHEME", "getDEFAULT_TLS_SIGNATURE_SCHEME", "DEFAULT_VALIDITY_WINDOW", "Lkotlin/Pair;", "Ljava/time/Duration;", "getDEFAULT_VALIDITY_WINDOW", "()Lkotlin/Pair;", "DISTRIBUTED_NOTARY_COMPOSITE_KEY_ALIAS", "DISTRIBUTED_NOTARY_KEY_ALIAS", "KEY_ALIAS_MAX_LENGTH", "KEY_ALIAS_REGEX", "NODE_IDENTITY_KEY_ALIAS", "TLS_CERTIFICATE_DAYS_TO_EXPIRY_WARNING_THRESHOLD", "addCrlInfo", "", "builder", "Lorg/bouncycastle/cert/X509v3CertificateBuilder;", "crlDistPoint", "crlIssuer", "Lorg/bouncycastle/asn1/x500/X500Name;", "buildCertPath", "Ljava/security/cert/CertPath;", "first", "Ljava/security/cert/X509Certificate;", "remaining", "", "certificates", "", "([Ljava/security/cert/X509Certificate;)Ljava/security/cert/CertPath;", "createCertificate", "certificateType", "Lnet/corda/nodeapi/internal/crypto/CertificateType;", "issuerCertificate", "issuerKeyPair", "Ljava/security/KeyPair;", "subject", "Ljavax/security/auth/x500/X500Principal;", "subjectPublicKey", "Ljava/security/PublicKey;", "validityWindow", "nameConstraints", "Lorg/bouncycastle/asn1/x509/NameConstraints;", "issuer", "Ljava/util/Date;", "issuerPublicKey", "issuerSigner", "Lorg/bouncycastle/operator/ContentSigner;", "createCertificateSigningRequest", "Lorg/bouncycastle/pkcs/PKCS10CertificationRequest;", "email", "keyPair", "certRole", "Lnet/corda/core/internal/CertRole;", "publicKey", "contentSigner", "createPartialCertificate", "createSelfSignedCACertificate", "generateCertificateSerialNumber", "Ljava/math/BigInteger;", "getCertificateValidityWindow", "before", "after", "parent", "invalidKeyAliasErrorMessage", "alias", "isKeyAliasValid", "", "loadCertificateFromPEMFile", StringLookupFactory.KEY_FILE, "Ljava/nio/file/Path;", "max", "Ljava/time/Instant;", "second", "min", "saveCertificateAsPEMFile", "certificate", "toGeneralNames", "Lorg/bouncycastle/asn1/x509/GeneralNames;", Ejb3DiscriminatorColumn.DEFAULT_DISCRIMINATOR_TYPE, "tag", "validateCertPath", "trustedRoots", "", "certPath", "validateCertificateChain", "(Ljava/util/Set;[Ljava/security/cert/X509Certificate;)V", "node-api"})
/* loaded from: input_file:corda-node-api-4.9.10.jar:net/corda/nodeapi/internal/crypto/X509Utilities.class */
public final class X509Utilities {

    @NotNull
    public static final String CORDA_ROOT_CA = "cordarootca";

    @NotNull
    public static final String CORDA_INTERMEDIATE_CA = "cordaintermediateca";

    @NotNull
    public static final String CORDA_CLIENT_TLS = "cordaclienttls";

    @NotNull
    public static final String CORDA_CLIENT_CA = "cordaclientca";

    @NotNull
    public static final String NODE_IDENTITY_KEY_ALIAS = "identity-private-key";

    @NotNull
    public static final String DISTRIBUTED_NOTARY_KEY_ALIAS = "distributed-notary-private-key";

    @NotNull
    public static final String DISTRIBUTED_NOTARY_COMPOSITE_KEY_ALIAS = "distributed-notary-composite-key";
    public static final int TLS_CERTIFICATE_DAYS_TO_EXPIRY_WARNING_THRESHOLD = 30;
    private static final String KEY_ALIAS_REGEX = "[a-z0-9-]+";
    private static final int KEY_ALIAS_MAX_LENGTH = 100;
    private static final int CERTIFICATE_SERIAL_NUMBER_LENGTH = 16;
    public static final X509Utilities INSTANCE = new X509Utilities();

    @NotNull
    private static final SignatureScheme DEFAULT_IDENTITY_SIGNATURE_SCHEME = Crypto.EDDSA_ED25519_SHA512;

    @NotNull
    private static final SignatureScheme DEFAULT_TLS_SIGNATURE_SCHEME = Crypto.ECDSA_SECP256R1_SHA256;

    @NotNull
    private static final Pair<Duration, Duration> DEFAULT_VALIDITY_WINDOW = new Pair<>(KotlinUtilsKt.getMillis(0), KotlinUtilsKt.getDays(3650));

    @NotNull
    public final SignatureScheme getDEFAULT_IDENTITY_SIGNATURE_SCHEME() {
        return DEFAULT_IDENTITY_SIGNATURE_SCHEME;
    }

    @NotNull
    public final SignatureScheme getDEFAULT_TLS_SIGNATURE_SCHEME() {
        return DEFAULT_TLS_SIGNATURE_SCHEME;
    }

    public final boolean isKeyAliasValid(@NotNull String alias) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        if (alias.length() > 100) {
            return false;
        }
        return new Regex(KEY_ALIAS_REGEX).matches(alias);
    }

    @NotNull
    public final String invalidKeyAliasErrorMessage(@NotNull String alias) {
        Intrinsics.checkParameterIsNotNull(alias, "alias");
        return "Alias '" + alias + "' must contain only lowercase alphanumeric characters and not exceed 100 characters length.";
    }

    @NotNull
    public final Pair<Duration, Duration> getDEFAULT_VALIDITY_WINDOW() {
        return DEFAULT_VALIDITY_WINDOW;
    }

    private final Date max(Instant instant, Date date) {
        return (date == null || date.getTime() <= instant.toEpochMilli()) ? new Date(instant.toEpochMilli()) : date;
    }

    private final Date min(Instant instant, Date date) {
        return (date == null || date.getTime() >= instant.toEpochMilli()) ? new Date(instant.toEpochMilli()) : date;
    }

    @NotNull
    public final Pair<Date, Date> getCertificateValidityWindow(@NotNull Duration before, @NotNull Duration after, @Nullable X509Certificate x509Certificate) {
        Intrinsics.checkParameterIsNotNull(before, "before");
        Intrinsics.checkParameterIsNotNull(after, "after");
        Instant truncatedTo = Instant.now().truncatedTo(ChronoUnit.DAYS);
        Instant minus = truncatedTo.minus((TemporalAmount) before);
        Intrinsics.checkExpressionValueIsNotNull(minus, "startOfDayUTC - before");
        Date max = max(minus, x509Certificate != null ? x509Certificate.getNotBefore() : null);
        Instant plus = truncatedTo.plus((TemporalAmount) after);
        Intrinsics.checkExpressionValueIsNotNull(plus, "startOfDayUTC + after");
        return new Pair<>(max, min(plus, x509Certificate != null ? x509Certificate.getNotAfter() : null));
    }

    @NotNull
    public static /* bridge */ /* synthetic */ Pair getCertificateValidityWindow$default(X509Utilities x509Utilities, Duration duration, Duration duration2, X509Certificate x509Certificate, int i, Object obj) {
        if ((i & 4) != 0) {
            x509Certificate = (X509Certificate) null;
        }
        return x509Utilities.getCertificateValidityWindow(duration, duration2, x509Certificate);
    }

    @JvmStatic
    @NotNull
    public static final X509Certificate createSelfSignedCACertificate(@NotNull X500Principal subject, @NotNull KeyPair keyPair, @NotNull Pair<Duration, Duration> validityWindow) {
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(keyPair, "keyPair");
        Intrinsics.checkParameterIsNotNull(validityWindow, "validityWindow");
        Pair certificateValidityWindow$default = getCertificateValidityWindow$default(INSTANCE, validityWindow.getFirst(), validityWindow.getSecond(), null, 4, null);
        X509Utilities x509Utilities = INSTANCE;
        CertificateType certificateType = CertificateType.ROOT_CA;
        PublicKey publicKey = keyPair.getPublic();
        Intrinsics.checkExpressionValueIsNotNull(publicKey, "keyPair.public");
        return createCertificate$default(x509Utilities, certificateType, subject, keyPair, subject, publicKey, certificateValidityWindow$default, null, null, null, 448, null);
    }

    @JvmStatic
    @NotNull
    public static /* bridge */ /* synthetic */ X509Certificate createSelfSignedCACertificate$default(X500Principal x500Principal, KeyPair keyPair, Pair pair, int i, Object obj) {
        if ((i & 4) != 0) {
            pair = DEFAULT_VALIDITY_WINDOW;
        }
        return createSelfSignedCACertificate(x500Principal, keyPair, pair);
    }

    public final void validateCertificateChain(@NotNull Set<? extends X509Certificate> trustedRoots, @NotNull X509Certificate... certificates) {
        Intrinsics.checkParameterIsNotNull(trustedRoots, "trustedRoots");
        Intrinsics.checkParameterIsNotNull(certificates, "certificates");
        validateCertificateChain(trustedRoots, ArraysKt.asList(certificates));
    }

    public final void validateCertificateChain(@NotNull Set<? extends X509Certificate> trustedRoots, @NotNull List<? extends X509Certificate> certificates) {
        Intrinsics.checkParameterIsNotNull(trustedRoots, "trustedRoots");
        Intrinsics.checkParameterIsNotNull(certificates, "certificates");
        if (!(!certificates.isEmpty())) {
            throw new IllegalArgumentException("Certificate path must contain at least one certificate".toString());
        }
        validateCertPath(trustedRoots, buildCertPath(certificates));
    }

    public final void validateCertPath(@NotNull Set<? extends X509Certificate> trustedRoots, @NotNull CertPath certPath) {
        Intrinsics.checkParameterIsNotNull(trustedRoots, "trustedRoots");
        Intrinsics.checkParameterIsNotNull(certPath, "certPath");
        Set<? extends X509Certificate> set = trustedRoots;
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(set, 10));
        Iterator<T> it = set.iterator();
        while (it.hasNext()) {
            arrayList.add(new TrustAnchor((X509Certificate) it.next(), null));
        }
        InternalUtils.validate$default(certPath, CollectionsKt.toSet(arrayList), false, 2, null);
    }

    @JvmStatic
    public static final void saveCertificateAsPEMFile(@NotNull X509Certificate certificate, @NotNull Path file) {
        Intrinsics.checkParameterIsNotNull(certificate, "certificate");
        Intrinsics.checkParameterIsNotNull(file, "file");
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(PathUtilsKt.writer$default(file, null, new OpenOption[0], 1, null));
        Throwable th = (Throwable) null;
        try {
            try {
                jcaPEMWriter.writeObject(certificate);
                Unit unit = Unit.INSTANCE;
                CloseableKt.closeFinally(jcaPEMWriter, th);
            } finally {
            }
        } catch (Throwable th2) {
            CloseableKt.closeFinally(jcaPEMWriter, th);
            throw th2;
        }
    }

    @JvmStatic
    @NotNull
    public static final X509Certificate loadCertificateFromPEMFile(@NotNull Path file) {
        Intrinsics.checkParameterIsNotNull(file, "file");
        BufferedReader reader$default = PathUtilsKt.reader$default(file, null, 1, null);
        Throwable th = (Throwable) null;
        try {
            PemObject pemObject = new PemReader(reader$default).readPemObject();
            Intrinsics.checkExpressionValueIsNotNull(pemObject, "pemObject");
            X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(pemObject.getContent());
            x509CertificateHolder.isValidOn(new Date());
            X509Certificate jca = X509UtilitiesKt.toJca(x509CertificateHolder);
            CloseableKt.closeFinally(reader$default, th);
            return jca;
        } catch (Throwable th2) {
            CloseableKt.closeFinally(reader$default, th);
            throw th2;
        }
    }

    @NotNull
    public final X509v3CertificateBuilder createPartialCertificate(@NotNull CertificateType certificateType, @NotNull X500Principal issuer, @NotNull PublicKey issuerPublicKey, @NotNull X500Principal subject, @NotNull PublicKey subjectPublicKey, @NotNull Pair<? extends Date, ? extends Date> validityWindow, @Nullable NameConstraints nameConstraints, @Nullable String str, @Nullable X500Name x500Name) {
        Intrinsics.checkParameterIsNotNull(certificateType, "certificateType");
        Intrinsics.checkParameterIsNotNull(issuer, "issuer");
        Intrinsics.checkParameterIsNotNull(issuerPublicKey, "issuerPublicKey");
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(subjectPublicKey, "subjectPublicKey");
        Intrinsics.checkParameterIsNotNull(validityWindow, "validityWindow");
        BigInteger generateCertificateSerialNumber = generateCertificateSerialNumber();
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        for (KeyPurposeId keyPurposeId : certificateType.getPurposes()) {
            aSN1EncodableVector.add(keyPurposeId);
        }
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(subjectPublicKey.getEncoded()));
        CertRole role = certificateType.getRole();
        X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, generateCertificateSerialNumber, validityWindow.getFirst(), validityWindow.getSecond(), subject, subjectPublicKey).addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) new BcX509ExtensionUtils().createSubjectKeyIdentifier(subjectPublicKeyInfo)).addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(certificateType.isCA())).addExtension(Extension.keyUsage, false, (ASN1Encodable) certificateType.getKeyUsage()).addExtension(Extension.extendedKeyUsage, false, (ASN1Encodable) dERSequence).addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerPublicKey));
        if (role != null) {
            builder.addExtension(new ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), false, (ASN1Encodable) role);
        }
        Intrinsics.checkExpressionValueIsNotNull(builder, "builder");
        addCrlInfo(builder, str, x500Name);
        if (nameConstraints != null) {
            builder.addExtension(Extension.nameConstraints, true, (ASN1Encodable) nameConstraints);
        }
        return builder;
    }

    @NotNull
    public static /* bridge */ /* synthetic */ X509v3CertificateBuilder createPartialCertificate$default(X509Utilities x509Utilities, CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, X500Principal x500Principal2, PublicKey publicKey2, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & 256) != 0) {
            x500Name = (X500Name) null;
        }
        return x509Utilities.createPartialCertificate(certificateType, x500Principal, publicKey, x500Principal2, publicKey2, pair, nameConstraints, str, x500Name);
    }

    @JvmStatic
    @NotNull
    public static final X509Certificate createCertificate(@NotNull CertificateType certificateType, @NotNull X509Certificate issuerCertificate, @NotNull KeyPair issuerKeyPair, @NotNull X500Principal subject, @NotNull PublicKey subjectPublicKey, @NotNull Pair<Duration, Duration> validityWindow, @Nullable NameConstraints nameConstraints, @Nullable String str, @Nullable X500Name x500Name) {
        Intrinsics.checkParameterIsNotNull(certificateType, "certificateType");
        Intrinsics.checkParameterIsNotNull(issuerCertificate, "issuerCertificate");
        Intrinsics.checkParameterIsNotNull(issuerKeyPair, "issuerKeyPair");
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(subjectPublicKey, "subjectPublicKey");
        Intrinsics.checkParameterIsNotNull(validityWindow, "validityWindow");
        Pair<Date, Date> certificateValidityWindow = INSTANCE.getCertificateValidityWindow(validityWindow.getFirst(), validityWindow.getSecond(), issuerCertificate);
        X509Utilities x509Utilities = INSTANCE;
        X500Principal subjectX500Principal = issuerCertificate.getSubjectX500Principal();
        Intrinsics.checkExpressionValueIsNotNull(subjectX500Principal, "issuerCertificate.subjectX500Principal");
        return x509Utilities.createCertificate(certificateType, subjectX500Principal, issuerKeyPair, subject, subjectPublicKey, certificateValidityWindow, nameConstraints, str, x500Name);
    }

    @JvmStatic
    @NotNull
    public static /* bridge */ /* synthetic */ X509Certificate createCertificate$default(CertificateType certificateType, X509Certificate x509Certificate, KeyPair keyPair, X500Principal x500Principal, PublicKey publicKey, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 32) != 0) {
            pair = DEFAULT_VALIDITY_WINDOW;
        }
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & 256) != 0) {
            x500Name = (X500Name) null;
        }
        return createCertificate(certificateType, x509Certificate, keyPair, x500Principal, publicKey, (Pair<Duration, Duration>) pair, nameConstraints, str, x500Name);
    }

    @NotNull
    public final X509Certificate createCertificate(@NotNull CertificateType certificateType, @NotNull X500Principal issuer, @NotNull PublicKey issuerPublicKey, @NotNull ContentSigner issuerSigner, @NotNull X500Principal subject, @NotNull PublicKey subjectPublicKey, @NotNull Pair<? extends Date, ? extends Date> validityWindow, @Nullable NameConstraints nameConstraints, @Nullable String str, @Nullable X500Name x500Name) {
        Intrinsics.checkParameterIsNotNull(certificateType, "certificateType");
        Intrinsics.checkParameterIsNotNull(issuer, "issuer");
        Intrinsics.checkParameterIsNotNull(issuerPublicKey, "issuerPublicKey");
        Intrinsics.checkParameterIsNotNull(issuerSigner, "issuerSigner");
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(subjectPublicKey, "subjectPublicKey");
        Intrinsics.checkParameterIsNotNull(validityWindow, "validityWindow");
        X509CertificateHolder build = createPartialCertificate(certificateType, issuer, issuerPublicKey, subject, subjectPublicKey, validityWindow, nameConstraints, str, x500Name).build(issuerSigner);
        if (build.isValidOn(new Date())) {
            return X509UtilitiesKt.toJca(build);
        }
        throw new IllegalArgumentException("Certificate is not valid at instant now".toString());
    }

    @NotNull
    public static /* bridge */ /* synthetic */ X509Certificate createCertificate$default(X509Utilities x509Utilities, CertificateType certificateType, X500Principal x500Principal, PublicKey publicKey, ContentSigner contentSigner, X500Principal x500Principal2, PublicKey publicKey2, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 128) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 256) != 0) {
            str = (String) null;
        }
        if ((i & 512) != 0) {
            x500Name = (X500Name) null;
        }
        return x509Utilities.createCertificate(certificateType, x500Principal, publicKey, contentSigner, x500Principal2, publicKey2, pair, nameConstraints, str, x500Name);
    }

    @NotNull
    public final X509Certificate createCertificate(@NotNull CertificateType certificateType, @NotNull X500Principal issuer, @NotNull KeyPair issuerKeyPair, @NotNull X500Principal subject, @NotNull PublicKey subjectPublicKey, @NotNull Pair<? extends Date, ? extends Date> validityWindow, @Nullable NameConstraints nameConstraints, @Nullable String str, @Nullable X500Name x500Name) {
        Intrinsics.checkParameterIsNotNull(certificateType, "certificateType");
        Intrinsics.checkParameterIsNotNull(issuer, "issuer");
        Intrinsics.checkParameterIsNotNull(issuerKeyPair, "issuerKeyPair");
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(subjectPublicKey, "subjectPublicKey");
        Intrinsics.checkParameterIsNotNull(validityWindow, "validityWindow");
        PrivateKey privateKey = issuerKeyPair.getPrivate();
        Intrinsics.checkExpressionValueIsNotNull(privateKey, "issuerKeyPair.private");
        SignatureScheme findSignatureScheme = Crypto.findSignatureScheme(privateKey);
        Provider findProvider = Crypto.findProvider(findSignatureScheme.getProviderName());
        ContentSignerBuilder contentSignerBuilder = ContentSignerBuilder.INSTANCE;
        PrivateKey privateKey2 = issuerKeyPair.getPrivate();
        Intrinsics.checkExpressionValueIsNotNull(privateKey2, "issuerKeyPair.private");
        ContentSigner build$default = ContentSignerBuilder.build$default(contentSignerBuilder, findSignatureScheme, privateKey2, findProvider, null, false, 24, null);
        PublicKey publicKey = issuerKeyPair.getPublic();
        Intrinsics.checkExpressionValueIsNotNull(publicKey, "issuerKeyPair.public");
        X509CertificateHolder build = createPartialCertificate(certificateType, issuer, publicKey, subject, subjectPublicKey, validityWindow, nameConstraints, str, x500Name).build(build$default);
        if (!build.isValidOn(new Date())) {
            throw new IllegalArgumentException("Certificate is not valid at instant now".toString());
        }
        if (build.isSignatureValid(new JcaContentVerifierProviderBuilder().build(issuerKeyPair.getPublic()))) {
            return X509UtilitiesKt.toJca(build);
        }
        throw new IllegalArgumentException("Invalid signature".toString());
    }

    @NotNull
    public static /* bridge */ /* synthetic */ X509Certificate createCertificate$default(X509Utilities x509Utilities, CertificateType certificateType, X500Principal x500Principal, KeyPair keyPair, X500Principal x500Principal2, PublicKey publicKey, Pair pair, NameConstraints nameConstraints, String str, X500Name x500Name, int i, Object obj) {
        if ((i & 64) != 0) {
            nameConstraints = (NameConstraints) null;
        }
        if ((i & 128) != 0) {
            str = (String) null;
        }
        if ((i & 256) != 0) {
            x500Name = (X500Name) null;
        }
        return x509Utilities.createCertificate(certificateType, x500Principal, keyPair, x500Principal2, publicKey, (Pair<? extends Date, ? extends Date>) pair, nameConstraints, str, x500Name);
    }

    @NotNull
    public final PKCS10CertificationRequest createCertificateSigningRequest(@NotNull X500Principal subject, @NotNull String email, @NotNull PublicKey publicKey, @NotNull ContentSigner contentSigner, @NotNull CertRole certRole) {
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(email, "email");
        Intrinsics.checkParameterIsNotNull(publicKey, "publicKey");
        Intrinsics.checkParameterIsNotNull(contentSigner, "contentSigner");
        Intrinsics.checkParameterIsNotNull(certRole, "certRole");
        PKCS10CertificationRequest build = new JcaPKCS10CertificationRequestBuilder(subject, publicKey).addAttribute(BCStyle.E, new DERUTF8String(email)).addAttribute(new ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), certRole).build(contentSigner);
        if (!X509UtilitiesKt.isSignatureValid(build)) {
            throw new SignatureException("The certificate signing request signature validation failed.");
        }
        Intrinsics.checkExpressionValueIsNotNull(build, "JcaPKCS10CertificationRe…      }\n                }");
        return build;
    }

    @NotNull
    public static /* bridge */ /* synthetic */ PKCS10CertificationRequest createCertificateSigningRequest$default(X509Utilities x509Utilities, X500Principal x500Principal, String str, PublicKey publicKey, ContentSigner contentSigner, CertRole certRole, int i, Object obj) {
        if ((i & 16) != 0) {
            certRole = CertRole.NODE_CA;
        }
        return x509Utilities.createCertificateSigningRequest(x500Principal, str, publicKey, contentSigner, certRole);
    }

    @NotNull
    public final PKCS10CertificationRequest createCertificateSigningRequest(@NotNull X500Principal subject, @NotNull String email, @NotNull KeyPair keyPair, @NotNull CertRole certRole) {
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(email, "email");
        Intrinsics.checkParameterIsNotNull(keyPair, "keyPair");
        Intrinsics.checkParameterIsNotNull(certRole, "certRole");
        PublicKey publicKey = keyPair.getPublic();
        Intrinsics.checkExpressionValueIsNotNull(publicKey, "keyPair.public");
        SignatureScheme findSignatureScheme = Crypto.findSignatureScheme(publicKey);
        ContentSignerBuilder contentSignerBuilder = ContentSignerBuilder.INSTANCE;
        PrivateKey privateKey = keyPair.getPrivate();
        Intrinsics.checkExpressionValueIsNotNull(privateKey, "keyPair.private");
        ContentSigner build$default = ContentSignerBuilder.build$default(contentSignerBuilder, findSignatureScheme, privateKey, Crypto.findProvider(findSignatureScheme.getProviderName()), null, false, 24, null);
        PublicKey publicKey2 = keyPair.getPublic();
        Intrinsics.checkExpressionValueIsNotNull(publicKey2, "keyPair.public");
        return createCertificateSigningRequest(subject, email, publicKey2, build$default, certRole);
    }

    @NotNull
    public static /* bridge */ /* synthetic */ PKCS10CertificationRequest createCertificateSigningRequest$default(X509Utilities x509Utilities, X500Principal x500Principal, String str, KeyPair keyPair, CertRole certRole, int i, Object obj) {
        if ((i & 8) != 0) {
            certRole = CertRole.NODE_CA;
        }
        return x509Utilities.createCertificateSigningRequest(x500Principal, str, keyPair, certRole);
    }

    @NotNull
    public final CertPath buildCertPath(@NotNull X509Certificate first, @NotNull List<? extends X509Certificate> remaining) {
        Intrinsics.checkParameterIsNotNull(first, "first");
        Intrinsics.checkParameterIsNotNull(remaining, "remaining");
        ArrayList arrayList = new ArrayList(1 + remaining.size());
        arrayList.add(first);
        CollectionsKt.addAll(arrayList, remaining);
        return buildCertPath(arrayList);
    }

    @NotNull
    public final CertPath buildCertPath(@NotNull X509Certificate... certificates) {
        Intrinsics.checkParameterIsNotNull(certificates, "certificates");
        return new X509CertificateFactory().generateCertPath((X509Certificate[]) Arrays.copyOf(certificates, certificates.length));
    }

    @NotNull
    public final CertPath buildCertPath(@NotNull List<? extends X509Certificate> certificates) {
        Intrinsics.checkParameterIsNotNull(certificates, "certificates");
        return new X509CertificateFactory().generateCertPath(certificates);
    }

    private final void addCrlInfo(X509v3CertificateBuilder x509v3CertificateBuilder, String str, X500Name x500Name) {
        if (str != null) {
            x509v3CertificateBuilder.addExtension(Extension.cRLDistributionPoints, false, (ASN1Encodable) new CRLDistPoint(new DistributionPoint[]{new DistributionPoint(new DistributionPointName(toGeneralNames(str, 6)), null, x500Name != null ? new GeneralNames(new GeneralName(x500Name)) : null)}));
        }
    }

    private final BigInteger generateCertificateSerialNumber() {
        byte[] bArr = new byte[16];
        CryptoUtils.newSecureRandom().nextBytes(bArr);
        bArr[0] = (byte) (((byte) (bArr[0] & 63)) | 64);
        return new BigInteger(bArr);
    }

    @NotNull
    public final GeneralNames toGeneralNames(@NotNull String string, int i) {
        Intrinsics.checkParameterIsNotNull(string, "string");
        return new GeneralNames(new GeneralName(i, string));
    }

    @NotNull
    public static /* bridge */ /* synthetic */ GeneralNames toGeneralNames$default(X509Utilities x509Utilities, String str, int i, int i2, Object obj) {
        if ((i2 & 2) != 0) {
            i = 4;
        }
        return x509Utilities.toGeneralNames(str, i);
    }

    private X509Utilities() {
    }
}
