package net.corda.nodeapi.internal.protonwrapper.netty;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SniHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.DomainWildcardMappingBuilder;
import io.netty.util.Mapping;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathChecker;
import java.security.cert.Certificate;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.TuplesKt;
import kotlin.TypeCastException;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.collections.MapsKt;
import kotlin.collections.SetsKt;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.StringCompanionObject;
import kotlin.text.StringsKt;
import net.bytebuddy.implementation.auxiliary.TypeProxy;
import net.corda.core.crypto.CryptoUtils;
import net.corda.core.crypto.SecureHash;
import net.corda.core.identity.CordaX500Name;
import net.corda.core.utilities.EncodingUtils;
import net.corda.core.utilities.NetworkHostAndPort;
import net.corda.nodeapi.internal.ArtemisTcpTransport;
import net.corda.nodeapi.internal.config.CertificateStore;
import net.corda.nodeapi.internal.crypto.X509UtilitiesKt;
import net.corda.nodeapi.internal.protonwrapper.netty.RevocationConfig;
import net.corda.nodeapi.internal.protonwrapper.netty.revocation.ExternalSourceRevocationChecker;
import org.apache.activemq.artemis.core.server.balancing.targets.TargetKeyResolver;
import org.apache.logging.log4j.core.LoggerContext;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: SSLHelper.kt */
@Metadata(mv = {1, 1, 11}, bv = {1, 0, 2}, k = 2, d1 = {"��\u008a\u0001\n��\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0011\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\"\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0010$\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0002\n��\u001a\u001d\u0010\t\u001a\u00020\u00012\u0010\u0010\n\u001a\f\u0012\u0006\b\u0001\u0012\u00020\f\u0018\u00010\u000b¢\u0006\u0002\u0010\r\u001a\u0016\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013\u001a6\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\f\u0010\u0018\u001a\b\u0012\u0004\u0012\u00020\u001a0\u00192\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001b\u001a\u00020\u001cH��\u001a.\u0010\u001d\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\f\u0010\u0018\u001a\b\u0012\u0004\u0012\u00020\u001a0\u00192\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H��\u001a \u0010\u001e\u001a\u00020\u00152\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u001b\u001a\u00020\u001cH��\u001a$\u0010\u001f\u001a\u00020 2\u0012\u0010!\u001a\u000e\u0012\u0004\u0012\u00020\u0001\u0012\u0004\u0012\u00020\u00110\"2\u0006\u0010\u0012\u001a\u00020\u0013H��\u001a \u0010#\u001a\u00020\u00152\u0006\u0010$\u001a\u00020%2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H��\u001a\u0018\u0010&\u001a\u00020'2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H\u0002\u001a\u0016\u0010(\u001a\u00020)2\u0006\u0010*\u001a\u00020%2\u0006\u0010+\u001a\u00020,\u001a\u001c\u0010-\u001a\u000e\u0012\u0004\u0012\u00020\u0001\u0012\u0004\u0012\u00020.0\"2\u0006\u0010/\u001a\u000200H��\u001a\u0010\u00101\u001a\u00020\u00012\u0006\u00102\u001a\u00020\u001aH��\u001a\u0012\u00103\u001a\n\u0012\u0004\u0012\u00020\u0001\u0018\u00010\u0019*\u00020\f\u001a\n\u00104\u001a\u00020\u0001*\u00020\f\u001a\u0012\u00105\u001a\u000206*\u00020\u00112\u0006\u0010$\u001a\u00020%\u001a\u0012\u00105\u001a\u000206*\u00020\u00132\u0006\u0010*\u001a\u00020%\"\u000e\u0010��\u001a\u00020\u0001X\u0080T¢\u0006\u0002\n��\"\u000e\u0010\u0002\u001a\u00020\u0001X\u0080T¢\u0006\u0002\n��\"\u000e\u0010\u0003\u001a\u00020\u0001X\u0082T¢\u0006\u0002\n��\"\u001c\u0010\u0004\u001a\n \u0006*\u0004\u0018\u00010\u00050\u0005X\u0080\u0004¢\u0006\b\n��\u001a\u0004\b\u0007\u0010\b¨\u00067"}, d2 = {TargetKeyResolver.DEFAULT_KEY_VALUE, "", "DP_DEFAULT_ANSWER", "HOSTNAME_FORMAT", "logger", "Lorg/slf4j/Logger;", "kotlin.jvm.PlatformType", "getLogger", "()Lorg/slf4j/Logger;", "certPathToString", "certPath", "", "Ljava/security/cert/X509Certificate;", "([Ljava/security/cert/X509Certificate;)Ljava/lang/String;", "createAndInitSslContext", "Ljavax/net/ssl/SSLContext;", "keyManagerFactory", "Ljavax/net/ssl/KeyManagerFactory;", "trustManagerFactory", "Ljavax/net/ssl/TrustManagerFactory;", "createClientOpenSslHandler", "Lio/netty/handler/ssl/SslHandler;", TypeProxy.INSTANCE_FIELD, "Lnet/corda/core/utilities/NetworkHostAndPort;", "expectedRemoteLegalNames", "", "Lnet/corda/core/identity/CordaX500Name;", "alloc", "Lio/netty/buffer/ByteBufAllocator;", "createClientSslHelper", "createServerOpenSslHandler", "createServerSNIOpenSslHandler", "Lio/netty/handler/ssl/SniHandler;", "keyManagerFactoriesMap", "", "createServerSslHandler", "keyStore", "Lnet/corda/nodeapi/internal/config/CertificateStore;", "getServerSslContextBuilder", "Lio/netty/handler/ssl/SslContextBuilder;", "initialiseTrustStoreAndEnableCrlChecking", "Ljavax/net/ssl/ManagerFactoryParameters;", "trustStore", "revocationConfig", "Lnet/corda/nodeapi/internal/protonwrapper/netty/RevocationConfig;", "splitKeystore", "Lnet/corda/nodeapi/internal/protonwrapper/netty/CertHoldingKeyManagerFactoryWrapper;", LoggerContext.PROPERTY_CONFIG, "Lnet/corda/nodeapi/internal/protonwrapper/netty/AMQPConfiguration;", "x500toHostName", "x500Name", "distributionPoints", "distributionPointsToString", "init", "", "node-api"})
/* loaded from: input_file:corda-node-api-4.9.2.jar:net/corda/nodeapi/internal/protonwrapper/netty/SSLHelperKt.class */
public final class SSLHelperKt {
    private static final String HOSTNAME_FORMAT = "%s.corda.net";

    @NotNull
    public static final String DEFAULT = "default";

    @NotNull
    public static final String DP_DEFAULT_ANSWER = "NO CRLDP ext";
    private static final Logger logger = LoggerFactory.getLogger("net.corda.nodeapi.internal.protonwrapper.netty.SSLHelper");

    public static final Logger getLogger() {
        return logger;
    }

    @Nullable
    public static final Set<String> distributionPoints(@NotNull X509Certificate receiver) {
        Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
        logger.debug("Checking CRLDPs for " + receiver.getSubjectX500Principal());
        ASN1ObjectIdentifier aSN1ObjectIdentifier = Extension.cRLDistributionPoints;
        Intrinsics.checkExpressionValueIsNotNull(aSN1ObjectIdentifier, "Extension.cRLDistributionPoints");
        byte[] extensionValue = receiver.getExtensionValue(aSN1ObjectIdentifier.getId());
        if (extensionValue == null) {
            logger.debug(DP_DEFAULT_ANSWER);
            return SetsKt.emptySet();
        }
        ASN1Primitive readObject = new ASN1InputStream(new ByteArrayInputStream(extensionValue)).readObject();
        ASN1Primitive aSN1Primitive = readObject;
        if (!(aSN1Primitive instanceof DEROctetString)) {
            aSN1Primitive = null;
        }
        DEROctetString dEROctetString = (DEROctetString) aSN1Primitive;
        if (dEROctetString == null) {
            logger.error("Expected to have DEROctetString, actual type: " + readObject.getClass());
            return SetsKt.emptySet();
        }
        ASN1Primitive readObject2 = new ASN1InputStream(new ByteArrayInputStream(dEROctetString.getOctets())).readObject();
        CRLDistPoint cRLDistPoint = CRLDistPoint.getInstance(readObject2);
        if (cRLDistPoint == null) {
            logger.error("Could not instantiate CRLDistPoint, from: " + readObject2);
            return SetsKt.emptySet();
        }
        DistributionPoint[] distributionPoints = cRLDistPoint.getDistributionPoints();
        Intrinsics.checkExpressionValueIsNotNull(distributionPoints, "distPoint.distributionPoints");
        ArrayList arrayList = new ArrayList();
        for (DistributionPoint it : distributionPoints) {
            Intrinsics.checkExpressionValueIsNotNull(it, "it");
            DistributionPointName distributionPoint = it.getDistributionPoint();
            if (distributionPoint != null) {
                arrayList.add(distributionPoint);
            }
        }
        ArrayList arrayList2 = arrayList;
        ArrayList arrayList3 = new ArrayList();
        for (Object obj : arrayList2) {
            if (((DistributionPointName) obj).getType() == 0) {
                arrayList3.add(obj);
            }
        }
        ArrayList arrayList4 = arrayList3;
        ArrayList arrayList5 = new ArrayList();
        Iterator it2 = arrayList4.iterator();
        while (it2.hasNext()) {
            GeneralNames generalNames = GeneralNames.getInstance(((DistributionPointName) it2.next()).getName());
            Intrinsics.checkExpressionValueIsNotNull(generalNames, "GeneralNames.getInstance(it.name)");
            GeneralName[] names = generalNames.getNames();
            Intrinsics.checkExpressionValueIsNotNull(names, "GeneralNames.getInstance(it.name).names");
            CollectionsKt.addAll(arrayList5, ArraysKt.asList(names));
        }
        ArrayList arrayList6 = arrayList5;
        ArrayList arrayList7 = new ArrayList();
        for (Object obj2 : arrayList6) {
            GeneralName it3 = (GeneralName) obj2;
            Intrinsics.checkExpressionValueIsNotNull(it3, "it");
            if (it3.getTagNo() == 6) {
                arrayList7.add(obj2);
            }
        }
        ArrayList<GeneralName> arrayList8 = arrayList7;
        ArrayList arrayList9 = new ArrayList(CollectionsKt.collectionSizeOrDefault(arrayList8, 10));
        for (GeneralName it4 : arrayList8) {
            Intrinsics.checkExpressionValueIsNotNull(it4, "it");
            DERIA5String dERIA5String = DERIA5String.getInstance(it4.getName());
            Intrinsics.checkExpressionValueIsNotNull(dERIA5String, "DERIA5String.getInstance(it.name)");
            arrayList9.add(dERIA5String.getString());
        }
        return CollectionsKt.toSet(arrayList9);
    }

    @NotNull
    public static final String distributionPointsToString(@NotNull X509Certificate receiver) {
        Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
        Set<String> distributionPoints = distributionPoints(receiver);
        return (distributionPoints == null || distributionPoints.isEmpty()) ? DP_DEFAULT_ANSWER : CollectionsKt.joinToString$default(CollectionsKt.sorted(distributionPoints), null, null, null, 0, null, null, 63, null);
    }

    @NotNull
    public static final String certPathToString(@Nullable X509Certificate[] x509CertificateArr) {
        String str;
        String str2;
        if (x509CertificateArr == null) {
            return "<empty certpath>";
        }
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        for (X509Certificate x509Certificate : x509CertificateArr) {
            X509CertificateHolder bc = X509UtilitiesKt.toBc(x509Certificate);
            String x500Name = bc.getSubject().toString();
            String x500Name2 = bc.getIssuer().toString();
            try {
                Extension extension = bc.getExtension(Extension.subjectKeyIdentifier);
                Intrinsics.checkExpressionValueIsNotNull(extension, "bcCert.getExtension(Exte…ion.subjectKeyIdentifier)");
                SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier.getInstance(extension.getParsedValue());
                Intrinsics.checkExpressionValueIsNotNull(subjectKeyIdentifier, "SubjectKeyIdentifier.get…yIdentifier).parsedValue)");
                byte[] keyIdentifier = subjectKeyIdentifier.getKeyIdentifier();
                Intrinsics.checkExpressionValueIsNotNull(keyIdentifier, "SubjectKeyIdentifier.get…arsedValue).keyIdentifier");
                str = EncodingUtils.toHex(keyIdentifier);
            } catch (Exception e) {
                str = "null";
            }
            String str3 = str;
            try {
                Extension extension2 = bc.getExtension(Extension.authorityKeyIdentifier);
                Intrinsics.checkExpressionValueIsNotNull(extension2, "bcCert.getExtension(Exte…n.authorityKeyIdentifier)");
                AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(extension2.getParsedValue());
                Intrinsics.checkExpressionValueIsNotNull(authorityKeyIdentifier, "AuthorityKeyIdentifier.g…yIdentifier).parsedValue)");
                byte[] keyIdentifier2 = authorityKeyIdentifier.getKeyIdentifier();
                Intrinsics.checkExpressionValueIsNotNull(keyIdentifier2, "AuthorityKeyIdentifier.g…arsedValue).keyIdentifier");
                str2 = EncodingUtils.toHex(keyIdentifier2);
            } catch (Exception e2) {
                str2 = "null";
            }
            arrayList.add("  " + x500Name + '[' + str3 + "] issued by " + x500Name2 + '[' + str2 + "] [" + distributionPointsToString(x509Certificate) + ']');
        }
        return CollectionsKt.joinToString$default(arrayList, "\r\n", null, null, 0, null, null, 62, null);
    }

    @NotNull
    public static final SslHandler createClientSslHelper(@NotNull NetworkHostAndPort target, @NotNull Set<CordaX500Name> expectedRemoteLegalNames, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(target, "target");
        Intrinsics.checkParameterIsNotNull(expectedRemoteLegalNames, "expectedRemoteLegalNames");
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SSLEngine sslEngine = createAndInitSslContext(keyManagerFactory, trustManagerFactory).createSSLEngine(target.getHost(), target.getPort());
        Intrinsics.checkExpressionValueIsNotNull(sslEngine, "sslEngine");
        sslEngine.setUseClientMode(true);
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array = tls_versions.toArray(new String[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledProtocols((String[]) array);
        List<String> cipher_suites = ArtemisTcpTransport.Companion.getCIPHER_SUITES();
        if (cipher_suites == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array2 = cipher_suites.toArray(new String[0]);
        if (array2 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledCipherSuites((String[]) array2);
        sslEngine.setEnableSessionCreation(true);
        if (expectedRemoteLegalNames.size() == 1) {
            SSLParameters sslParameters = sslEngine.getSSLParameters();
            Intrinsics.checkExpressionValueIsNotNull(sslParameters, "sslParameters");
            sslParameters.setServerNames(CollectionsKt.listOf(new SNIHostName(x500toHostName((CordaX500Name) CollectionsKt.single(expectedRemoteLegalNames)))));
            sslEngine.setSSLParameters(sslParameters);
        }
        return new SslHandler(sslEngine, false, LoggingImmediateExecutor.INSTANCE);
    }

    @NotNull
    public static final SslHandler createClientOpenSslHandler(@NotNull NetworkHostAndPort target, @NotNull Set<CordaX500Name> expectedRemoteLegalNames, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull ByteBufAllocator alloc) {
        Intrinsics.checkParameterIsNotNull(target, "target");
        Intrinsics.checkParameterIsNotNull(expectedRemoteLegalNames, "expectedRemoteLegalNames");
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkParameterIsNotNull(alloc, "alloc");
        SSLEngine sslEngine = SslContextBuilder.forClient().sslProvider(SslProvider.OPENSSL).keyManager(keyManagerFactory).trustManager(new LoggingTrustManagerFactoryWrapper(trustManagerFactory)).build().newEngine(alloc, target.getHost(), target.getPort());
        Intrinsics.checkExpressionValueIsNotNull(sslEngine, "sslEngine");
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array = tls_versions.toArray(new String[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledProtocols((String[]) array);
        List<String> cipher_suites = ArtemisTcpTransport.Companion.getCIPHER_SUITES();
        if (cipher_suites == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array2 = cipher_suites.toArray(new String[0]);
        if (array2 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledCipherSuites((String[]) array2);
        if (expectedRemoteLegalNames.size() == 1) {
            SSLParameters sslParameters = sslEngine.getSSLParameters();
            Intrinsics.checkExpressionValueIsNotNull(sslParameters, "sslParameters");
            sslParameters.setServerNames(CollectionsKt.listOf(new SNIHostName(x500toHostName((CordaX500Name) CollectionsKt.single(expectedRemoteLegalNames)))));
            sslEngine.setSSLParameters(sslParameters);
        }
        return new SslHandler(sslEngine, false, LoggingImmediateExecutor.INSTANCE);
    }

    @NotNull
    public static final SslHandler createServerSslHandler(@NotNull CertificateStore keyStore, @NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(keyStore, "keyStore");
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SSLEngine sslEngine = createAndInitSslContext(keyManagerFactory, trustManagerFactory).createSSLEngine();
        Intrinsics.checkExpressionValueIsNotNull(sslEngine, "sslEngine");
        sslEngine.setUseClientMode(false);
        sslEngine.setNeedClientAuth(true);
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array = tls_versions.toArray(new String[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledProtocols((String[]) array);
        List<String> cipher_suites = ArtemisTcpTransport.Companion.getCIPHER_SUITES();
        if (cipher_suites == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array2 = cipher_suites.toArray(new String[0]);
        if (array2 == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslEngine.setEnabledCipherSuites((String[]) array2);
        sslEngine.setEnableSessionCreation(true);
        SSLParameters sslParameters = sslEngine.getSSLParameters();
        Intrinsics.checkExpressionValueIsNotNull(sslParameters, "sslParameters");
        sslParameters.setSNIMatchers(CollectionsKt.listOf(new ServerSNIMatcher(keyStore)));
        sslEngine.setSSLParameters(sslParameters);
        return new SslHandler(sslEngine, false, LoggingImmediateExecutor.INSTANCE);
    }

    @NotNull
    public static final SSLContext createAndInitSslContext(@NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SSLContext sslContext = SSLContext.getInstance("TLS");
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        Intrinsics.checkExpressionValueIsNotNull(trustManagers, "trustManagerFactory.trustManagers");
        List filterIsInstance = ArraysKt.filterIsInstance(trustManagers, X509ExtendedTrustManager.class);
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(filterIsInstance, 10));
        Iterator it = filterIsInstance.iterator();
        while (it.hasNext()) {
            arrayList.add(new LoggingTrustManagerWrapper((X509ExtendedTrustManager) it.next()));
        }
        Object[] array = arrayList.toArray(new LoggingTrustManagerWrapper[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        sslContext.init(keyManagers, (LoggingTrustManagerWrapper[]) array, CryptoUtils.newSecureRandom());
        Intrinsics.checkExpressionValueIsNotNull(sslContext, "sslContext");
        return sslContext;
    }

    @NotNull
    public static final ManagerFactoryParameters initialiseTrustStoreAndEnableCrlChecking(@NotNull CertificateStore trustStore, @NotNull RevocationConfig revocationConfig) {
        ExternalSourceRevocationChecker externalSourceRevocationChecker;
        Intrinsics.checkParameterIsNotNull(trustStore, "trustStore");
        Intrinsics.checkParameterIsNotNull(revocationConfig, "revocationConfig");
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(trustStore.getValue().getInternal(), new X509CertSelector());
        switch (revocationConfig.getMode()) {
            case OFF:
                externalSourceRevocationChecker = AllowAllRevocationChecker.INSTANCE;
                break;
            case EXTERNAL_SOURCE:
                if (!(revocationConfig.getExternalCrlSource() != null)) {
                    throw new IllegalArgumentException("externalCrlSource must not be null".toString());
                }
                ExternalCrlSource externalCrlSource = revocationConfig.getExternalCrlSource();
                if (externalCrlSource == null) {
                    Intrinsics.throwNpe();
                }
                externalSourceRevocationChecker = new ExternalSourceRevocationChecker(externalCrlSource, new Function0<Date>() { // from class: net.corda.nodeapi.internal.protonwrapper.netty.SSLHelperKt$initialiseTrustStoreAndEnableCrlChecking$revocationChecker$2
                    @Override // kotlin.jvm.functions.Function0
                    @NotNull
                    public final Date invoke() {
                        return new Date();
                    }
                });
                break;
            default:
                CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX");
                Intrinsics.checkExpressionValueIsNotNull(certPathBuilder, "certPathBuilder");
                CertPathChecker revocationChecker = certPathBuilder.getRevocationChecker();
                if (revocationChecker != null) {
                    PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) revocationChecker;
                    pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
                    if (revocationConfig.getMode() == RevocationConfig.Mode.SOFT_FAIL) {
                        Set<PKIXRevocationChecker.Option> options = pKIXRevocationChecker.getOptions();
                        Intrinsics.checkExpressionValueIsNotNull(options, "pkixRevocationChecker.options");
                        pKIXRevocationChecker.setOptions(SetsKt.plus(options, PKIXRevocationChecker.Option.SOFT_FAIL));
                    }
                    externalSourceRevocationChecker = pKIXRevocationChecker;
                    break;
                } else {
                    throw new TypeCastException("null cannot be cast to non-null type java.security.cert.PKIXRevocationChecker");
                }
        }
        pKIXBuilderParameters.addCertPathChecker(externalSourceRevocationChecker);
        return new CertPathTrustManagerParameters(pKIXBuilderParameters);
    }

    @NotNull
    public static final SslHandler createServerOpenSslHandler(@NotNull KeyManagerFactory keyManagerFactory, @NotNull TrustManagerFactory trustManagerFactory, @NotNull ByteBufAllocator alloc) {
        Intrinsics.checkParameterIsNotNull(keyManagerFactory, "keyManagerFactory");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        Intrinsics.checkParameterIsNotNull(alloc, "alloc");
        SSLEngine sslEngine = getServerSslContextBuilder(keyManagerFactory, trustManagerFactory).build().newEngine(alloc);
        Intrinsics.checkExpressionValueIsNotNull(sslEngine, "sslEngine");
        sslEngine.setUseClientMode(false);
        return new SslHandler(sslEngine, false, LoggingImmediateExecutor.INSTANCE);
    }

    @NotNull
    public static final SniHandler createServerSNIOpenSslHandler(@NotNull Map<String, ? extends KeyManagerFactory> keyManagerFactoriesMap, @NotNull TrustManagerFactory trustManagerFactory) {
        Intrinsics.checkParameterIsNotNull(keyManagerFactoriesMap, "keyManagerFactoriesMap");
        Intrinsics.checkParameterIsNotNull(trustManagerFactory, "trustManagerFactory");
        SslContextBuilder serverSslContextBuilder = getServerSslContextBuilder((KeyManagerFactory) CollectionsKt.first(keyManagerFactoriesMap.values()), trustManagerFactory);
        DomainWildcardMappingBuilder domainWildcardMappingBuilder = new DomainWildcardMappingBuilder(serverSslContextBuilder.build());
        for (Map.Entry<String, ? extends KeyManagerFactory> entry : keyManagerFactoriesMap.entrySet()) {
            domainWildcardMappingBuilder.add(entry.getKey(), serverSslContextBuilder.keyManager(entry.getValue()).build());
        }
        return new SniHandler((Mapping<? super String, ? extends SslContext>) domainWildcardMappingBuilder.build());
    }

    private static final SslContextBuilder getServerSslContextBuilder(KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory) {
        SslContextBuilder ciphers = SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.OPENSSL).trustManager(new LoggingTrustManagerFactoryWrapper(trustManagerFactory)).clientAuth(ClientAuth.REQUIRE).ciphers(ArtemisTcpTransport.Companion.getCIPHER_SUITES());
        List<String> tls_versions = ArtemisTcpTransport.Companion.getTLS_VERSIONS();
        if (tls_versions == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.util.Collection<T>");
        }
        Object[] array = tls_versions.toArray(new String[0]);
        if (array == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Array<T>");
        }
        String[] strArr = (String[]) array;
        SslContextBuilder protocols = ciphers.protocols((String[]) Arrays.copyOf(strArr, strArr.length));
        Intrinsics.checkExpressionValueIsNotNull(protocols, "SslContextBuilder.forSer…_VERSIONS.toTypedArray())");
        return protocols;
    }

    @NotNull
    public static final Map<String, CertHoldingKeyManagerFactoryWrapper> splitKeystore(@NotNull AMQPConfiguration config) {
        Intrinsics.checkParameterIsNotNull(config, "config");
        KeyStore internal = config.getKeyStore().getValue().getInternal();
        String entryPassword = config.getKeyStore().getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        Enumeration<String> aliases = internal.aliases();
        Intrinsics.checkExpressionValueIsNotNull(aliases, "keyStore.aliases()");
        ArrayList list = Collections.list(aliases);
        Intrinsics.checkExpressionValueIsNotNull(list, "java.util.Collections.list(this)");
        ArrayList<String> arrayList = list;
        ArrayList arrayList2 = new ArrayList(CollectionsKt.collectionSizeOrDefault(arrayList, 10));
        for (String str : arrayList) {
            Key key = internal.getKey(str, charArray);
            Certificate[] certificateChain = internal.getCertificateChain(str);
            Certificate certificate = internal.getCertificate(str);
            Intrinsics.checkExpressionValueIsNotNull(certificate, "keyStore.getCertificate(alias)");
            X500Principal x500Name = X509UtilitiesKt.getX509(certificate).getSubjectX500Principal();
            CordaX500Name.Companion companion = CordaX500Name.Companion;
            Intrinsics.checkExpressionValueIsNotNull(x500Name, "x500Name");
            CordaX500Name build = companion.build(x500Name);
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null);
            keyStore.setKeyEntry(str, key, charArray, certificateChain);
            KeyManagerFactory newKeyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            newKeyManagerFactory.init(keyStore, charArray);
            String x500toHostName = x500toHostName(build);
            Intrinsics.checkExpressionValueIsNotNull(newKeyManagerFactory, "newKeyManagerFactory");
            arrayList2.add(TuplesKt.to(x500toHostName, new CertHoldingKeyManagerFactoryWrapper(newKeyManagerFactory, config)));
        }
        return MapsKt.toMap(arrayList2);
    }

    public static final void init(@NotNull KeyManagerFactory receiver, @NotNull CertificateStore keyStore) {
        Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
        Intrinsics.checkParameterIsNotNull(keyStore, "keyStore");
        KeyStore internal = keyStore.getValue().getInternal();
        String entryPassword = keyStore.getEntryPassword();
        if (entryPassword == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        char[] charArray = entryPassword.toCharArray();
        Intrinsics.checkExpressionValueIsNotNull(charArray, "(this as java.lang.String).toCharArray()");
        receiver.init(internal, charArray);
    }

    public static final void init(@NotNull TrustManagerFactory receiver, @NotNull CertificateStore trustStore) {
        Intrinsics.checkParameterIsNotNull(receiver, "$receiver");
        Intrinsics.checkParameterIsNotNull(trustStore, "trustStore");
        receiver.init(trustStore.getValue().getInternal());
    }

    @NotNull
    public static final String x500toHostName(@NotNull CordaX500Name x500Name) {
        Intrinsics.checkParameterIsNotNull(x500Name, "x500Name");
        SecureHash.SHA256 sha256 = SecureHash.Companion.sha256(x500Name.toString());
        StringCompanionObject stringCompanionObject = StringCompanionObject.INSTANCE;
        Object[] objArr = new Object[1];
        String take = StringsKt.take(sha256.toString(), 32);
        if (take == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        String lowerCase = take.toLowerCase();
        Intrinsics.checkExpressionValueIsNotNull(lowerCase, "(this as java.lang.String).toLowerCase()");
        objArr[0] = lowerCase;
        String format = String.format(HOSTNAME_FORMAT, Arrays.copyOf(objArr, objArr.length));
        Intrinsics.checkExpressionValueIsNotNull(format, "java.lang.String.format(format, *args)");
        return format;
    }
}
