package io.libp2p.security.tls;

import androidx.exifinterface.media.ExifInterface;
import crypto.pb.Crypto;
import io.libp2p.core.P2PChannel;
import io.libp2p.core.PeerId;
import io.libp2p.core.crypto.KeyKt;
import io.libp2p.core.crypto.PrivKey;
import io.libp2p.core.crypto.PubKey;
import io.libp2p.core.multistream.NegotiatedProtocol;
import io.libp2p.core.multistream.ProtocolBinding;
import io.libp2p.core.multistream.ProtocolMatcher;
import io.libp2p.core.mux.StreamMuxer;
import io.libp2p.core.security.SecureChannel;
import io.libp2p.crypto.Libp2pCrypto;
import io.libp2p.crypto.Libp2pCryptoKt;
import io.libp2p.crypto.keys.EcdsaKt;
import io.libp2p.crypto.keys.EcdsaPublicKey;
import io.libp2p.crypto.keys.Ed25519Kt;
import io.libp2p.crypto.keys.Ed25519PublicKey;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.Ciphers;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProtocols;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.StringsKt;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.edec.EdECObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters;
import org.bouncycastle.jcajce.interfaces.EdDSAPublicKey;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* compiled from: TLSSecureChannel.kt */
@Metadata(d1 = {"\u0000\u008e\u0001\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0011\n\u0002\u0018\u0002\n\u0002\b\u0004\u001a\u0016\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0015\u001a\u00020\u0014\u001aP\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0018\u001a\u00020\u00142\f\u0010\u0019\u001a\b\u0012\u0004\u0012\u00020\u001b0\u001a2\f\u0010\u001c\u001a\b\u0012\u0004\u0012\u00020\u001d0\u000b2\u0006\u0010\u001e\u001a\u00020\u00012\u0006\u0010\u001f\u001a\u00020 2\f\u0010!\u001a\b\u0012\u0004\u0012\u00020#0\"2\u0006\u0010$\u001a\u00020%\u001a\u000e\u0010&\u001a\u00020\u00042\u0006\u0010'\u001a\u00020(\u001a\u000e\u0010)\u001a\u00020*2\u0006\u0010+\u001a\u00020\u0014\u001a\u000e\u0010,\u001a\u00020(2\u0006\u0010'\u001a\u00020-\u001a\u0019\u0010.\u001a\u00020(2\f\u0010/\u001a\b\u0012\u0004\u0012\u00020100¢\u0006\u0002\u00102\u001a\u0019\u00103\u001a\u00020\u001b2\f\u0010/\u001a\b\u0012\u0004\u0012\u00020100¢\u0006\u0002\u00104\"\u000e\u0010\u0000\u001a\u00020\u0001X\u0086T¢\u0006\u0002\n\u0000\"\u000e\u0010\u0002\u001a\u00020\u0001X\u0086T¢\u0006\u0002\n\u0000\"\u0011\u0010\u0003\u001a\u00020\u0004¢\u0006\b\n\u0000\u001a\u0004\b\u0005\u0010\u0006\"\u0016\u0010\u0007\u001a\n \t*\u0004\u0018\u00010\b0\bX\u0082\u0004¢\u0006\u0002\n\u0000\"6\u0010\n\u001a\f\u0012\b\u0012\u00060\u0001j\u0002`\f0\u000b\"\f\b\u0000\u0010\r*\u0006\u0012\u0002\b\u00030\u000e*\b\u0012\u0004\u0012\u0002H\r0\u000b8BX\u0082\u0004¢\u0006\u0006\u001a\u0004\b\u000f\u0010\u0010¨\u00065"}, d2 = {"NoEarlyMuxerNegotiationEntry", "", "SetupHandlerName", "certificatePrefix", "", "getCertificatePrefix", "()[B", "log", "Ljava/util/logging/Logger;", "kotlin.jvm.PlatformType", "allProtocols", "", "Lio/libp2p/core/multistream/ProtocolId;", ExifInterface.GPS_DIRECTION_TRUE, "Lio/libp2p/core/multistream/ProtocolBinding;", "getAllProtocols", "(Ljava/util/List;)Ljava/util/List;", "buildCert", "Ljava/security/cert/X509Certificate;", "hostKey", "Lio/libp2p/core/crypto/PrivKey;", "subjectKey", "buildTlsHandler", "Lio/netty/handler/ssl/SslHandler;", "localKey", "expectedRemotePeer", "Ljava/util/Optional;", "Lio/libp2p/core/PeerId;", "muxers", "Lio/libp2p/core/mux/StreamMuxer;", "certAlgorithm", "ch", "Lio/libp2p/core/P2PChannel;", "handshakeComplete", "Ljava/util/concurrent/CompletableFuture;", "Lio/libp2p/core/security/SecureChannel$Session;", "ctx", "Lio/netty/channel/ChannelHandlerContext;", "getAsn1EncodedPublicKey", "pub", "Lio/libp2p/core/crypto/PubKey;", "getJavaKey", "Ljava/security/PrivateKey;", "priv", "getPubKey", "Ljava/security/PublicKey;", "getPublicKeyFromCert", "chain", "", "Ljava/security/cert/Certificate;", "([Ljava/security/cert/Certificate;)Lio/libp2p/core/crypto/PubKey;", "verifyAndExtractPeerId", "([Ljava/security/cert/Certificate;)Lio/libp2p/core/PeerId;", TLSSecureChannelKt.NoEarlyMuxerNegotiationEntry}, k = 2, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class TLSSecureChannelKt {
    public static final String NoEarlyMuxerNegotiationEntry = "libp2p";
    public static final String SetupHandlerName = "TlsSetup";
    private static final Logger log = Logger.getLogger(TlsSecureChannel.class.getName());
    private static final byte[] certificatePrefix = StringsKt.encodeToByteArray("libp2p-tls-handshake:");

    /* compiled from: TLSSecureChannel.kt */
    @Metadata(k = 3, mv = {1, 6, 0}, xi = 48)
    /* loaded from: classes4.dex */
    public /* synthetic */ class WhenMappings {
        public static final /* synthetic */ int[] $EnumSwitchMapping$0;

        static {
            int[] iArr = new int[Crypto.KeyType.values().length];
            iArr[Crypto.KeyType.Ed25519.ordinal()] = 1;
            iArr[Crypto.KeyType.ECDSA.ordinal()] = 2;
            $EnumSwitchMapping$0 = iArr;
        }
    }

    public static final X509Certificate buildCert(PrivKey hostKey, PrivKey subjectKey) {
        String str;
        Intrinsics.checkNotNullParameter(hostKey, "hostKey");
        Intrinsics.checkNotNullParameter(subjectKey, "subjectKey");
        byte[] asn1EncodedPublicKey = getAsn1EncodedPublicKey(subjectKey.publicKey());
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(asn1EncodedPublicKey);
        Instant now = Instant.now();
        Date from = Date.from(now.minusSeconds(3600L));
        Date from2 = Date.from(now.plusSeconds(31536000L));
        X500Name x500Name = new X500Name("O=Peergos,L=Oxford,C=UK");
        X509v3CertificateBuilder addExtension = new X509v3CertificateBuilder(x500Name, BigInteger.valueOf(now.toEpochMilli()), from, from2, x500Name, subjectPublicKeyInfo).addExtension(new ASN1ObjectIdentifier("1.3.6.1.4.1.53594.1.1"), true, (ASN1Encodable) new DERSequence(new DEROctetString[]{new DEROctetString(hostKey.publicKey().bytes()), new DEROctetString(hostKey.sign(ArraysKt.plus(certificatePrefix, asn1EncodedPublicKey)))}));
        int i = WhenMappings.$EnumSwitchMapping$0[subjectKey.getKeyType().ordinal()];
        if (i == 1) {
            str = EdDSAParameterSpec.Ed25519;
        } else {
            if (i != 2) {
                throw new IllegalStateException("Unsupported certificate key type: " + subjectKey.getKeyType());
            }
            str = Libp2pCryptoKt.SHA_256_WITH_ECDSA;
        }
        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(addExtension.build(new JcaContentSignerBuilder(str).setProvider(Libp2pCrypto.INSTANCE.getProvider()).build(getJavaKey(subjectKey))));
        Intrinsics.checkNotNullExpressionValue(certificate, "JcaX509CertificateConver…ertBuilder.build(signer))");
        return certificate;
    }

    public static final SslHandler buildTlsHandler(final PrivKey localKey, Optional<PeerId> expectedRemotePeer, final List<? extends StreamMuxer> muxers, String certAlgorithm, P2PChannel ch, final CompletableFuture<SecureChannel.Session> handshakeComplete, final ChannelHandlerContext ctx) {
        Intrinsics.checkNotNullParameter(localKey, "localKey");
        Intrinsics.checkNotNullParameter(expectedRemotePeer, "expectedRemotePeer");
        Intrinsics.checkNotNullParameter(muxers, "muxers");
        Intrinsics.checkNotNullParameter(certAlgorithm, "certAlgorithm");
        Intrinsics.checkNotNullParameter(ch, "ch");
        Intrinsics.checkNotNullParameter(handshakeComplete, "handshakeComplete");
        Intrinsics.checkNotNullParameter(ctx, "ctx");
        Pair generateEcdsaKeyPair$default = certAlgorithm.equals(Libp2pCryptoKt.ECDSA_ALGORITHM) ? EcdsaKt.generateEcdsaKeyPair$default(null, 1, null) : Ed25519Kt.generateEd25519KeyPair$default(null, 1, null);
        PrivateKey javaKey = getJavaKey((PrivKey) generateEcdsaKeyPair$default.getFirst());
        final SslHandler handler = (ch.getIsInitiator() ? SslContextBuilder.forClient().keyManager(javaKey, CollectionsKt.listOf(buildCert(localKey, (PrivKey) generateEcdsaKeyPair$default.getFirst()))) : SslContextBuilder.forServer(javaKey, CollectionsKt.listOf(buildCert(localKey, (PrivKey) generateEcdsaKeyPair$default.getFirst())))).protocols(CollectionsKt.listOf(SslProtocols.TLS_v1_3)).ciphers(CollectionsKt.listOf((Object[]) new String[]{Ciphers.TLS_AES_128_GCM_SHA256, Ciphers.TLS_AES_256_GCM_SHA384, Ciphers.TLS_CHACHA20_POLY1305_SHA256})).clientAuth(ClientAuth.REQUIRE).trustManager(new Libp2pTrustManager(expectedRemotePeer)).sslContextProvider(new BouncyCastleJsseProvider()).applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.FATAL_ALERT, ApplicationProtocolConfig.SelectedListenerFailureBehavior.FATAL_ALERT, (Iterable<String>) CollectionsKt.plus((Collection<? extends String>) getAllProtocols(muxers), NoEarlyMuxerNegotiationEntry))).build().newHandler(ctx.alloc());
        handler.sslCloseFuture().addListener(new GenericFutureListener() { // from class: io.libp2p.security.tls.TLSSecureChannelKt$$ExternalSyntheticLambda0
            @Override // io.netty.util.concurrent.GenericFutureListener
            public final void operationComplete(Future future) {
                TLSSecureChannelKt.m8071buildTlsHandler$lambda0(ChannelHandlerContext.this, future);
            }
        });
        Future<Channel> handshakeFuture = handler.handshakeFuture();
        final SSLEngine engine = handler.engine();
        handshakeFuture.addListener(new GenericFutureListener() { // from class: io.libp2p.security.tls.TLSSecureChannelKt$$ExternalSyntheticLambda1
            @Override // io.netty.util.concurrent.GenericFutureListener
            public final void operationComplete(Future future) {
                TLSSecureChannelKt.m8072buildTlsHandler$lambda3(handshakeComplete, handler, muxers, localKey, engine, ctx, future);
            }
        });
        Intrinsics.checkNotNullExpressionValue(handler, "handler");
        return handler;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: buildTlsHandler$lambda-0, reason: not valid java name */
    public static final void m8071buildTlsHandler$lambda0(ChannelHandlerContext ctx, Future future) {
        Intrinsics.checkNotNullParameter(ctx, "$ctx");
        ctx.close();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: buildTlsHandler$lambda-3, reason: not valid java name */
    public static final void m8072buildTlsHandler$lambda3(CompletableFuture handshakeComplete, SslHandler sslHandler, List muxers, PrivKey localKey, SSLEngine sSLEngine, ChannelHandlerContext ctx, Future future) {
        Intrinsics.checkNotNullParameter(handshakeComplete, "$handshakeComplete");
        Intrinsics.checkNotNullParameter(muxers, "$muxers");
        Intrinsics.checkNotNullParameter(localKey, "$localKey");
        Intrinsics.checkNotNullParameter(ctx, "$ctx");
        if (!future.isSuccess()) {
            Throwable cause = future.cause();
            if (cause != null && cause.getCause() != null) {
                cause = cause.getCause();
            }
            handshakeComplete.completeExceptionally(cause);
            return;
        }
        String nextProtocol = sslHandler.applicationProtocol();
        ArrayList arrayList = new ArrayList();
        for (Object obj : muxers) {
            ProtocolMatcher protocolMatcher = ((StreamMuxer) obj).getProtocolDescriptor().getProtocolMatcher();
            Intrinsics.checkNotNullExpressionValue(nextProtocol, "nextProtocol");
            if (protocolMatcher.matches(nextProtocol)) {
                arrayList.add(obj);
            }
        }
        ArrayList<StreamMuxer> arrayList2 = arrayList;
        ArrayList arrayList3 = new ArrayList(CollectionsKt.collectionSizeOrDefault(arrayList2, 10));
        for (StreamMuxer streamMuxer : arrayList2) {
            Intrinsics.checkNotNullExpressionValue(nextProtocol, "nextProtocol");
            arrayList3.add(new NegotiatedProtocol(streamMuxer, nextProtocol));
        }
        NegotiatedProtocol negotiatedProtocol = (NegotiatedProtocol) CollectionsKt.firstOrNull((List) arrayList3);
        PeerId fromPubKey = PeerId.INSTANCE.fromPubKey(localKey.publicKey());
        Certificate[] peerCertificates = sSLEngine.getSession().getPeerCertificates();
        Intrinsics.checkNotNullExpressionValue(peerCertificates, "engine.session.peerCertificates");
        PeerId verifyAndExtractPeerId = verifyAndExtractPeerId(peerCertificates);
        Certificate[] peerCertificates2 = sSLEngine.getSession().getPeerCertificates();
        Intrinsics.checkNotNullExpressionValue(peerCertificates2, "engine.session.peerCertificates");
        handshakeComplete.complete(new SecureChannel.Session(fromPubKey, verifyAndExtractPeerId, getPublicKeyFromCert(peerCertificates2), negotiatedProtocol));
        ctx.fireChannelActive();
    }

    private static final <T extends ProtocolBinding<?>> List<String> getAllProtocols(List<? extends T> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<T> it = list.iterator();
        while (it.hasNext()) {
            CollectionsKt.addAll(arrayList, ((ProtocolBinding) it.next()).getProtocolDescriptor().getAnnounceProtocols());
        }
        return arrayList;
    }

    public static final byte[] getAsn1EncodedPublicKey(PubKey pub) {
        Intrinsics.checkNotNullParameter(pub, "pub");
        if (pub.getKeyType() == Crypto.KeyType.Ed25519) {
            byte[] encoded = new SubjectPublicKeyInfo(new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), pub.raw()).getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded, "SubjectPublicKeyInfo(Alg…5519), pub.raw()).encoded");
            return encoded;
        }
        if (pub.getKeyType() != Crypto.KeyType.ECDSA) {
            throw new IllegalArgumentException("Unsupported TLS key type:" + pub.getKeyType());
        }
        byte[] encoded2 = ((EcdsaPublicKey) pub).javaKey().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded2, "pub as EcdsaPublicKey).javaKey().encoded");
        return encoded2;
    }

    public static final byte[] getCertificatePrefix() {
        return certificatePrefix;
    }

    public static final PrivateKey getJavaKey(PrivKey priv) {
        Intrinsics.checkNotNullParameter(priv, "priv");
        if (priv.getKeyType() == Crypto.KeyType.Ed25519) {
            PrivateKey generatePrivate = KeyFactory.getInstance(EdDSAParameterSpec.Ed25519, Libp2pCrypto.INSTANCE.getProvider()).generatePrivate(new PKCS8EncodedKeySpec(new PrivateKeyInfo(new AlgorithmIdentifier(EdECObjectIdentifiers.id_Ed25519), new DEROctetString(priv.raw())).getEncoded()));
            Intrinsics.checkNotNullExpressionValue(generatePrivate, "kf.generatePrivate(pkcs8KeySpec)");
            return generatePrivate;
        }
        if (priv.getKeyType() == Crypto.KeyType.ECDSA) {
            PrivateKey generatePrivate2 = KeyFactory.getInstance(Libp2pCryptoKt.ECDSA_ALGORITHM, Libp2pCrypto.INSTANCE.getProvider()).generatePrivate(new PKCS8EncodedKeySpec(priv.raw()));
            Intrinsics.checkNotNullExpressionValue(generatePrivate2, "kf.generatePrivate(pkcs8KeySpec)");
            return generatePrivate2;
        }
        if (priv.getKeyType() == Crypto.KeyType.RSA) {
            throw new IllegalStateException("Unimplemented RSA key support for TLS");
        }
        throw new IllegalArgumentException("Unsupported TLS key type:" + priv.getKeyType());
    }

    public static final PubKey getPubKey(PublicKey pub) {
        Intrinsics.checkNotNullParameter(pub, "pub");
        if (pub.getAlgorithm().equals("EdDSA") || pub.getAlgorithm().equals(EdDSAParameterSpec.Ed25519)) {
            return new Ed25519PublicKey(new Ed25519PublicKeyParameters(((EdDSAPublicKey) pub).getPointEncoding()));
        }
        if (pub.getAlgorithm().equals("EC")) {
            return new EcdsaPublicKey((ECPublicKey) pub);
        }
        if (pub.getAlgorithm().equals(Libp2pCryptoKt.RSA_ALGORITHM)) {
            throw new IllegalStateException("Unimplemented RSA public key support for TLS");
        }
        throw new IllegalStateException("Unsupported key type: " + pub.getAlgorithm());
    }

    public static final PubKey getPublicKeyFromCert(Certificate[] chain) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        if (chain.length != 1) {
            throw new IllegalStateException("Cert chain must have exactly 1 element!");
        }
        PublicKey publicKey = chain[0].getPublicKey();
        Intrinsics.checkNotNullExpressionValue(publicKey, "cert.publicKey");
        return getPubKey(publicKey);
    }

    public static final PeerId verifyAndExtractPeerId(Certificate[] chain) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        if (chain.length != 1) {
            throw new IllegalStateException("Cert chain must have exactly 1 element!");
        }
        Certificate certificate = chain[0];
        org.bouncycastle.asn1.x509.Certificate certificate2 = org.bouncycastle.asn1.x509.Certificate.getInstance(ASN1Primitive.fromByteArray(certificate.getEncoded()));
        X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(certificate2);
        Extension extension = x509CertificateHolder.getExtensions().getExtension(new ASN1ObjectIdentifier("1.3.6.1.4.1.53594.1.1"));
        if (extension == null) {
            throw new IllegalStateException("Certificate extension not present!");
        }
        ASN1Primitive readObject = new ASN1InputStream(extension.getExtnValue().getEncoded()).readObject();
        if (readObject == null) {
            throw new NullPointerException("null cannot be cast to non-null type org.bouncycastle.asn1.DEROctetString");
        }
        ASN1Primitive readObject2 = new ASN1InputStream(((DEROctetString) readObject).getOctets()).readObject();
        if (readObject2 == null) {
            throw new NullPointerException("null cannot be cast to non-null type org.bouncycastle.asn1.DLSequence");
        }
        DLSequence dLSequence = (DLSequence) readObject2;
        ASN1Encodable objectAt = dLSequence.getObjectAt(0);
        if (objectAt == null) {
            throw new NullPointerException("null cannot be cast to non-null type org.bouncycastle.asn1.DEROctetString");
        }
        byte[] pubKeyProto = ((DEROctetString) objectAt).getOctets();
        ASN1Encodable objectAt2 = dLSequence.getObjectAt(1);
        if (objectAt2 == null) {
            throw new NullPointerException("null cannot be cast to non-null type org.bouncycastle.asn1.DEROctetString");
        }
        byte[] signature = ((DEROctetString) objectAt2).getOctets();
        Intrinsics.checkNotNullExpressionValue(pubKeyProto, "pubKeyProto");
        PubKey unmarshalPublicKey = KeyKt.unmarshalPublicKey(pubKeyProto);
        byte[] bArr = certificatePrefix;
        byte[] encoded = certificate.getPublicKey().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "cert.publicKey.encoded");
        byte[] plus = ArraysKt.plus(bArr, encoded);
        Intrinsics.checkNotNullExpressionValue(signature, "signature");
        if (!unmarshalPublicKey.verify(plus, signature)) {
            throw new IllegalStateException("Invalid signature on TLS certificate extension!");
        }
        certificate.verify(certificate.getPublicKey());
        Date date = new Date();
        if (certificate2.getEndDate().getDate().before(date)) {
            throw new IllegalStateException("TLS certificate has expired!");
        }
        if (certificate2.getStartDate().getDate().after(date)) {
            throw new IllegalStateException("TLS certificate is not valid yet!");
        }
        return PeerId.INSTANCE.fromPubKey(unmarshalPublicKey);
    }
}
