package io.iohk.scalanet.peergroup.dynamictls;

import io.iohk.scalanet.crypto.CryptoUtils$;
import io.iohk.scalanet.crypto.CryptoUtils$SHA256withECDSA$;
import io.iohk.scalanet.peergroup.dynamictls.CustomTlsValidator;
import io.iohk.scalanet.peergroup.dynamictls.DynamicTLSExtension;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.Set;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X962Parameters;
import org.joda.time.DateTime;
import scala.MatchError;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Tuple2;
import scala.collection.ArrayOps$;
import scala.package$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Either$;
import scala.util.Failure;
import scala.util.Left;
import scala.util.Right;
import scala.util.Success;
import scala.util.Try;
import scala.util.Try$;
import scodec.bits.BitVector;

/* compiled from: CustomTlsValidator.scala */
/* loaded from: input_file:io/iohk/scalanet/peergroup/dynamictls/CustomTlsValidator$.class */
public final class CustomTlsValidator$ {
    public static final CustomTlsValidator$ MODULE$ = new CustomTlsValidator$();

    private Either<CustomTlsValidator$ServerIdNotMatchExpected$, BoxedUnit> validateServerId(DynamicTLSExtension.SignedKey signedKey, BitVector bitVector) {
        Either$ Either = package$.MODULE$.Either();
        BitVector nodeId = DynamicTLSExtension$ExtensionPublicKey$.MODULE$.ExtensionPublicKeyOps(signedKey.publicKey()).getNodeId();
        return Either.cond(nodeId != null ? nodeId.equals(bitVector) : bitVector == null, () -> {
        }, () -> {
            return CustomTlsValidator$ServerIdNotMatchExpected$.MODULE$;
        });
    }

    private Either<CustomTlsValidator.CertificateError, X509Certificate> validateCertificatesQuantity(X509Certificate[] x509CertificateArr) {
        return package$.MODULE$.Either().cond(x509CertificateArr.length == 1, () -> {
            return (X509Certificate) ArrayOps$.MODULE$.head$extension(Predef$.MODULE$.refArrayOps(x509CertificateArr));
        }, () -> {
            return CustomTlsValidator$WrongNumberOfCertificates$.MODULE$;
        });
    }

    private Either<CustomTlsValidator.CertificateError, BoxedUnit> validateCertificateSelfSig(X509Certificate x509Certificate) {
        Left apply;
        Try apply2 = Try$.MODULE$.apply(() -> {
            x509Certificate.verify(x509Certificate.getPublicKey());
        });
        if (apply2 instanceof Failure) {
            apply = package$.MODULE$.Left().apply(CustomTlsValidator$WrongCertificateSelfSignature$.MODULE$);
        } else {
            if (!(apply2 instanceof Success)) {
                throw new MatchError(apply2);
            }
            apply = package$.MODULE$.Right().apply(BoxedUnit.UNIT);
        }
        return apply;
    }

    private Either<CustomTlsValidator.CertificateError, BoxedUnit> validateCertificateDate(X509Certificate x509Certificate) {
        Left apply;
        Try apply2 = Try$.MODULE$.apply(() -> {
            x509Certificate.checkValidity(DateTime.now().toDate());
        });
        if (apply2 instanceof Failure) {
            apply = package$.MODULE$.Left().apply(CustomTlsValidator$WrongCertificateDate$.MODULE$);
        } else {
            if (!(apply2 instanceof Success)) {
                throw new MatchError(apply2);
            }
            apply = package$.MODULE$.Right().apply(BoxedUnit.UNIT);
        }
        return apply;
    }

    private Either<CustomTlsValidator.CertificateError, BoxedUnit> validateCertificateSignatureScheme(X509Certificate x509Certificate) {
        return package$.MODULE$.Either().cond(x509Certificate.getSigAlgName().equalsIgnoreCase(CryptoUtils$SHA256withECDSA$.MODULE$.name()), () -> {
        }, () -> {
            return CustomTlsValidator$WrongCertificateSignatureScheme$.MODULE$;
        });
    }

    private Either<CustomTlsValidator.CertificateError, BoxedUnit> validateCertificateSignature(DynamicTLSExtension.SignedKey signedKey, ECPublicKey eCPublicKey) {
        Left apply;
        Success flatMap = CryptoUtils$.MODULE$.getBouncyCastlePubKey(eCPublicKey.getEncoded(), eCPublicKey.getAlgorithm()).flatMap(publicKey -> {
            return CryptoUtils$.MODULE$.getEcPublicKey(publicKey).flatMap(bitVector -> {
                return Try$.MODULE$.apply(() -> {
                    return DynamicTLSExtension$SignedKey$.MODULE$.verifySignature(signedKey, bitVector);
                }).map(obj -> {
                    return BoxesRunTime.boxToBoolean($anonfun$validateCertificateSignature$4(BoxesRunTime.unboxToBoolean(obj)));
                });
            });
        });
        if (flatMap instanceof Failure ? true : (flatMap instanceof Success) && false == BoxesRunTime.unboxToBoolean(flatMap.value())) {
            apply = package$.MODULE$.Left().apply(CustomTlsValidator$WrongExtensionSignature$.MODULE$);
        } else {
            if (!(flatMap instanceof Success) || true != BoxesRunTime.unboxToBoolean(flatMap.value())) {
                throw new MatchError(flatMap);
            }
            apply = package$.MODULE$.Right().apply(BoxedUnit.UNIT);
        }
        return apply;
    }

    public Either<CustomTlsValidator.CertificateError, ECPublicKey> validateCertificatePublicKey(X509Certificate x509Certificate) {
        Right apply;
        Tuple2 tuple2;
        PublicKey publicKey = x509Certificate.getPublicKey();
        Success apply2 = Try$.MODULE$.apply(() -> {
            ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
            return new Tuple2(eCPublicKey, X962Parameters.getInstance(SubjectPublicKeyInfo.getInstance(ASN1Primitive.fromByteArray(eCPublicKey.getEncoded())).getAlgorithm().getParameters()));
        });
        if ((apply2 instanceof Success) && (tuple2 = (Tuple2) apply2.value()) != null) {
            ECPublicKey eCPublicKey = (ECPublicKey) tuple2._1();
            if (((X962Parameters) tuple2._2()).isNamedCurve()) {
                apply = package$.MODULE$.Right().apply(eCPublicKey);
                return apply;
            }
        }
        apply = package$.MODULE$.Left().apply(CustomTlsValidator$WrongCertificateKeyFormat$.MODULE$);
        return apply;
    }

    private Either<CustomTlsValidator.CertificateError, byte[]> getCertificateExtension(X509Certificate x509Certificate, String str) {
        return Option$.MODULE$.apply(x509Certificate.getExtensionValue(str)).toRight(() -> {
            return CustomTlsValidator$NoCertExtension$.MODULE$;
        });
    }

    public Either<CustomTlsValidator.CertificateError, BoxedUnit> validateOnlyKnownCriticalExtensions(X509Certificate x509Certificate) {
        Set<String> criticalExtensionOIDs = x509Certificate.getCriticalExtensionOIDs();
        return package$.MODULE$.Either().cond(criticalExtensionOIDs == null || criticalExtensionOIDs.size() == 0 || (criticalExtensionOIDs.size() == 1 && criticalExtensionOIDs.contains(DynamicTLSExtension$SignedKey$.MODULE$.extensionIdentifier())), () -> {
        }, () -> {
            return CustomTlsValidator$NotKnownCriticalExtensions$.MODULE$;
        });
    }

    public Either<CustomTlsValidator.CertificateError, DynamicTLSExtension.SignedKey> validateCertificates(X509Certificate[] x509CertificateArr, Option<BitVector> option) {
        return validateCertificatesQuantity(x509CertificateArr).flatMap(x509Certificate -> {
            return MODULE$.validateCertificateSignatureScheme(x509Certificate).flatMap(boxedUnit -> {
                return MODULE$.validateCertificateSelfSig(x509Certificate).flatMap(boxedUnit -> {
                    return MODULE$.validateCertificateDate(x509Certificate).flatMap(boxedUnit -> {
                        return MODULE$.validateCertificatePublicKey(x509Certificate).flatMap(eCPublicKey -> {
                            return MODULE$.validateOnlyKnownCriticalExtensions(x509Certificate).flatMap(boxedUnit -> {
                                return MODULE$.getCertificateExtension(x509Certificate, DynamicTLSExtension$SignedKey$.MODULE$.extensionIdentifier()).flatMap(bArr -> {
                                    return MODULE$.validateSignedKeyExtension(bArr);
                                }).flatMap(signedKey -> {
                                    return MODULE$.validateCertificateSignature(signedKey, eCPublicKey).flatMap(boxedUnit -> {
                                        return (option.isDefined() ? MODULE$.validateServerId(signedKey, (BitVector) option.get()) : package$.MODULE$.Right().apply(BoxedUnit.UNIT)).map(boxedUnit -> {
                                            return signedKey;
                                        });
                                    });
                                });
                            });
                        });
                    });
                });
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Either<CustomTlsValidator.CertificateError, DynamicTLSExtension.SignedKey> validateSignedKeyExtension(byte[] bArr) {
        return DynamicTLSExtension$SignedKey$.MODULE$.parseAsn1EncodedValue(bArr).toEither().left().map(err -> {
            return CustomTlsValidator$WrongExtensionFormat$.MODULE$;
        });
    }

    public static final /* synthetic */ boolean $anonfun$validateCertificateSignature$4(boolean z) {
        return z;
    }

    private CustomTlsValidator$() {
    }
}
