package org.dcache.gsi;

import com.google.common.base.Preconditions;
import com.google.common.io.ByteSource;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import eu.emi.security.authn.x509.proxy.ProxyRequestOptions;
import java.io.EOFException;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.dcache.gsi.InterceptingSSLEngine;

/* loaded from: input_file:org/dcache/gsi/ClientGsiEngine.class */
public class ClientGsiEngine extends InterceptingSSLEngine {
    public static final char DELEGATION_CHAR = 'D';
    public static final char NO_DELEGATION_CHAR = '0';
    private boolean isDelegationLimited;
    private X509Credential credential;

    /* loaded from: input_file:org/dcache/gsi/ClientGsiEngine$GotCsr.class */
    private class GotCsr implements InterceptingSSLEngine.Callback {
        private int len;
        private ByteSource data;

        private GotCsr() {
            this.len = 0;
        }

        @Override // org.dcache.gsi.InterceptingSSLEngine.Callback
        public void call(ByteBuffer byteBuffer) throws SSLException {
            this.len += byteBuffer.position();
            ByteSource slice = ByteSource.wrap(byteBuffer.array()).slice(byteBuffer.arrayOffset(), byteBuffer.position());
            try {
                ASN1InputStream aSN1InputStream = new ASN1InputStream((this.data == null ? slice : ByteSource.concat(new ByteSource[]{this.data, slice})).openStream(), this.len, true);
                Throwable th = null;
                try {
                    try {
                        ProxyRequestOptions proxyRequestOptions = new ProxyRequestOptions(ClientGsiEngine.this.credential.getCertificateChain(), new PKCS10CertificationRequest(aSN1InputStream.readObject()));
                        proxyRequestOptions.setLimited(ClientGsiEngine.this.isDelegationLimited);
                        ClientGsiEngine.this.send(ByteBuffer.wrap(ProxyGenerator.generate(proxyRequestOptions, ClientGsiEngine.this.credential.getKey())[0].getEncoded()));
                        if (aSN1InputStream != null) {
                            if (0 != 0) {
                                try {
                                    aSN1InputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                aSN1InputStream.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (aSN1InputStream != null) {
                        if (th != null) {
                            try {
                                aSN1InputStream.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            aSN1InputStream.close();
                        }
                    }
                    throw th4;
                }
            } catch (EOFException e) {
                try {
                    ByteSource wrap = ByteSource.wrap(slice.read());
                    this.data = this.data == null ? wrap : ByteSource.concat(new ByteSource[]{this.data, wrap});
                    ClientGsiEngine.this.receive(this);
                } catch (IOException e2) {
                    e.addSuppressed(e2);
                }
            } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateEncodingException | CertificateParsingException e3) {
                throw new SSLException("GSI delegation failed: " + e3.toString(), e3);
            }
        }
    }

    public ClientGsiEngine(SSLEngine sSLEngine, X509Credential x509Credential, boolean z, boolean z2) {
        super(sSLEngine);
        this.isDelegationLimited = z2;
        this.credential = x509Credential;
        if (z) {
            sendThenReceive(ByteBuffer.wrap(new byte[]{68}), new GotCsr());
        } else {
            send(ByteBuffer.wrap(new byte[]{48}));
        }
    }

    @Override // org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public void setUseClientMode(boolean z) {
        Preconditions.checkArgument(z, "Only the client side of GSI is supported by this engine.");
        super.setUseClientMode(z);
    }
}
