package org.dcache.gsi;

import com.google.common.base.Preconditions;
import com.google.common.io.ByteSource;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
import eu.emi.security.authn.x509.proxy.ProxyCSRGenerator;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.ASN1InputStream;
import org.dcache.gsi.InterceptingSSLEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/gsi/ServerGsiEngine.class */
public class ServerGsiEngine extends InterceptingSSLEngine {
    private static final Logger LOGGER = LoggerFactory.getLogger(ServerGsiEngine.class);
    public static final String X509_CREDENTIAL = "org.dcache.credential";
    public static final char DELEGATION_CHAR = 'D';
    private KeyPairCache keyPairCache;
    private final CertificateFactory cf;
    private boolean isUsingLegacyClose;
    private boolean isOutboundClosed;
    private KeyPair keyPair;

    /* loaded from: input_file:org/dcache/gsi/ServerGsiEngine$GotDelegatedCredentials.class */
    private class GotDelegatedCredentials implements InterceptingSSLEngine.Callback {
        private int len;
        private ByteSource data;

        private GotDelegatedCredentials() {
        }

        @Override // org.dcache.gsi.InterceptingSSLEngine.Callback
        public void call(ByteBuffer byteBuffer) throws SSLException {
            ASN1InputStream aSN1InputStream;
            Preconditions.checkArgument(byteBuffer.hasArray(), "Buffer must have backing array");
            this.len += byteBuffer.position();
            ByteSource slice = ByteSource.wrap(byteBuffer.array()).slice(byteBuffer.arrayOffset(), byteBuffer.position());
            ByteSource concat = this.data == null ? slice : ByteSource.concat(new ByteSource[]{this.data, slice});
            try {
                ServerGsiEngine.this.readDelegatedCredentials(concat);
            } catch (IOException | GeneralSecurityException e) {
                try {
                    try {
                        aSN1InputStream = new ASN1InputStream(concat.openStream(), this.len, true);
                    } catch (IOException e2) {
                        e.addSuppressed(e2);
                    }
                    try {
                        aSN1InputStream.readObject();
                        aSN1InputStream.close();
                        throw new SSLException("GSI delegation failed: " + e.toString(), e);
                    } catch (Throwable th) {
                        try {
                            aSN1InputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                } catch (EOFException e3) {
                    ByteSource wrap = ByteSource.wrap(slice.read());
                    this.data = this.data == null ? wrap : ByteSource.concat(new ByteSource[]{this.data, wrap});
                    ServerGsiEngine.this.receive(this);
                }
            }
        }
    }

    /* loaded from: input_file:org/dcache/gsi/ServerGsiEngine$GotDelegationCharacter.class */
    private class GotDelegationCharacter implements InterceptingSSLEngine.Callback {
        private GotDelegationCharacter() {
        }

        @Override // org.dcache.gsi.InterceptingSSLEngine.Callback
        public void call(ByteBuffer byteBuffer) throws SSLException {
            if (byteBuffer.get(0) == 68) {
                try {
                    ServerGsiEngine.this.sendThenReceive(ServerGsiEngine.this.getCertRequest(), new GotDelegatedCredentials());
                } catch (IOException | GeneralSecurityException e) {
                    throw new SSLException("GSI delegation failed: " + e.toString(), e);
                }
            }
        }
    }

    public ServerGsiEngine(SSLEngine sSLEngine, CertificateFactory certificateFactory) {
        super(sSLEngine);
        this.keyPairCache = new KeyPairCache(30L, TimeUnit.SECONDS);
        this.cf = certificateFactory;
        receive(new GotDelegationCharacter());
    }

    @Override // org.dcache.gsi.InterceptingSSLEngine, org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public void closeOutbound() {
        this.isOutboundClosed = true;
        super.closeOutbound();
    }

    public boolean isUsingLegacyClose() {
        return this.isUsingLegacyClose;
    }

    public void setUsingLegacyClose(boolean z) {
        this.isUsingLegacyClose = z;
    }

    public void setKeyPairCache(KeyPairCache keyPairCache) {
        this.keyPairCache = keyPairCache;
    }

    @Override // org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public void setUseClientMode(boolean z) {
        Preconditions.checkArgument(!z, "Only the server side of GSI is supported by this engine.");
        super.setUseClientMode(z);
    }

    @Override // org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public boolean isInboundDone() {
        return (this.isUsingLegacyClose && this.isOutboundClosed) || super.isInboundDone();
    }

    @Override // org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public boolean isOutboundDone() {
        return (this.isUsingLegacyClose && this.isOutboundClosed) || super.isOutboundDone();
    }

    @Override // org.dcache.gsi.InterceptingSSLEngine, org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
        return (this.isUsingLegacyClose && this.isOutboundClosed) ? SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING : super.getHandshakeStatus();
    }

    @Override // org.dcache.gsi.InterceptingSSLEngine, org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public SSLEngineResult unwrap(ByteBuffer byteBuffer, ByteBuffer[] byteBufferArr, int i, int i2) throws SSLException {
        return (this.isUsingLegacyClose && this.isOutboundClosed) ? new SSLEngineResult(SSLEngineResult.Status.CLOSED, SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING, 0, 0) : super.unwrap(byteBuffer, byteBufferArr, i, i2);
    }

    @Override // org.dcache.gsi.InterceptingSSLEngine, org.dcache.gsi.ForwardingSSLEngine, javax.net.ssl.SSLEngine
    public SSLEngineResult wrap(ByteBuffer[] byteBufferArr, int i, int i2, ByteBuffer byteBuffer) throws SSLException {
        return (this.isUsingLegacyClose && this.isOutboundClosed) ? new SSLEngineResult(SSLEngineResult.Status.CLOSED, SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING, 0, 0) : super.wrap(byteBufferArr, i, i2, byteBuffer);
    }

    private ByteBuffer getCertRequest() throws IOException, GeneralSecurityException {
        X509Certificate[] convertToX509Chain = CertificateUtils.convertToX509Chain(getSession().getPeerCertificates());
        this.keyPair = this.keyPairCache.getKeyPair(((RSAPublicKey) convertToX509Chain[0].getPublicKey()).getModulus().bitLength());
        ProxyCertificateOptions proxyCertificateOptions = new ProxyCertificateOptions(convertToX509Chain);
        proxyCertificateOptions.setPublicKey(this.keyPair.getPublic());
        proxyCertificateOptions.setLimited(true);
        byte[] encoded = ProxyCSRGenerator.generate(proxyCertificateOptions, this.keyPair.getPrivate()).getCSR().getEncoded();
        return ByteBuffer.wrap(encoded, 0, encoded.length);
    }

    protected void verifyDelegatedCert(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (!((RSAPublicKey) x509Certificate.getPublicKey()).getModulus().equals(((RSAPrivateKey) this.keyPair.getPrivate()).getModulus())) {
            throw new GeneralSecurityException("Client delegated credentials do not match certificate request.");
        }
    }

    private void readDelegatedCredentials(ByteSource byteSource) throws GeneralSecurityException, IOException {
        SSLSession session = getSession();
        InputStream openStream = byteSource.openStream();
        try {
            X509Certificate x509Certificate = (X509Certificate) this.cf.generateCertificate(openStream);
            if (openStream != null) {
                openStream.close();
            }
            LOGGER.trace("Received delegated cert: {}", x509Certificate);
            verifyDelegatedCert(x509Certificate);
            Certificate[] peerCertificates = session.getPeerCertificates();
            int length = peerCertificates.length;
            X509Certificate[] x509CertificateArr = new X509Certificate[length + 1];
            x509CertificateArr[0] = x509Certificate;
            for (int i = 0; i < length; i++) {
                x509CertificateArr[i + 1] = (X509Certificate) peerCertificates[i];
            }
            session.putValue(X509_CREDENTIAL, new KeyAndCertCredential(this.keyPair.getPrivate(), x509CertificateArr));
        } catch (Throwable th) {
            if (openStream != null) {
                try {
                    openStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
