package org.dcache.xrootd.plugins.authn.gsi;

import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.List;
import java.util.Map;
import javax.crypto.Cipher;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.protocol.messages.AbstractResponseMessage;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.AuthenticationResponse;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.globus.gsi.CertificateRevocationLists;
import org.globus.gsi.TrustedCertificates;
import org.globus.gsi.proxy.ProxyPathValidator;
import org.globus.gsi.proxy.ProxyPathValidatorException;
import org.jboss.netty.buffer.ChannelBuffers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationHandler.class */
public class GSIAuthenticationHandler implements AuthenticationHandler {
    public static final String PROTOCOL = "gsi";
    public static final String PROTOCOL_VERSION = "10200";
    public static final String CRYPTO_MODE = "ssl";
    public static final String SUPPORTED_CIPHER_ALGORITHMS = "aes-128-cbc";
    public static final String SUPPORTED_DIGESTS = "sha1:md5";
    private static final String SERVER_ASYNC_CIPHER_MODE = "RSA/NONE/PKCS1Padding";
    private static final String SERVER_SYNC_CIPHER_MODE = "AES/CBC/PKCS5Padding";
    private static final String SERVER_SYNC_CIPHER_NAME = "AES";
    private static final int SERVER_SYNC_CIPHER_BLOCKSIZE = 16;
    private static final int CHALLENGE_BYTES = 8;
    private TrustedCertificates _trustedCerts;
    private X509Certificate _hostCertificate;
    private PrivateKey _hostKey;
    private CertificateRevocationLists _crls;
    private Cipher _challengeCipher;
    private DHSession _dhSession;
    private static final Logger _logger = LoggerFactory.getLogger(GSIAuthenticationHandler.class);
    private static final SecureRandom _random = new SecureRandom();
    private static final ProxyPathValidator _proxyValidator = new ProxyPathValidator();
    private String _challenge = "";
    private boolean _finished = false;
    private Subject _subject = new Subject();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationHandler$XrootdBucketContainer.class */
    public class XrootdBucketContainer {
        private int _size;
        private List<XrootdBucket> _buckets;

        public XrootdBucketContainer(List<XrootdBucket> list, int i) {
            this._buckets = list;
            this._size = i;
        }

        public int getSize() {
            return this._size;
        }

        public List<XrootdBucket> getBuckets() {
            return this._buckets;
        }
    }

    public GSIAuthenticationHandler(X509Certificate x509Certificate, PrivateKey privateKey, TrustedCertificates trustedCertificates, CertificateRevocationLists certificateRevocationLists) {
        this._hostCertificate = x509Certificate;
        this._hostKey = privateKey;
        this._trustedCerts = trustedCertificates;
        this._crls = certificateRevocationLists;
    }

    public AbstractResponseMessage authenticate(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            if (this._dhSession == null) {
                this._dhSession = new DHSession();
            }
            if (!PROTOCOL.equalsIgnoreCase(authenticationRequest.getProtocol())) {
                throw new XrootdException(3006, "Specified Protocol " + authenticationRequest.getProtocol() + " is not the protocol that was negotiated.");
            }
            switch (authenticationRequest.getStep()) {
                case 0:
                    return new OkResponse(authenticationRequest);
                case 1000:
                    return handleCertReqStep(authenticationRequest);
                case 1001:
                    return handleCertStep(authenticationRequest);
                default:
                    throw new XrootdException(3006, "Error during authentication, unknown processing step: " + authenticationRequest.getStep());
            }
        } catch (GeneralSecurityException e) {
            _logger.error("Error setting up cryptographic classes: {}", e);
            throw new XrootdException(3012, "Server probably misconfigured.");
        }
    }

    private AbstractResponseMessage handleCertReqStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            this._challengeCipher = Cipher.getInstance(SERVER_ASYNC_CIPHER_MODE, "BC");
            this._challengeCipher.init(1, this._hostKey);
            this._challengeCipher.update(((StringBucket) ((NestedBucketBuffer) authenticationRequest.getBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_main)).getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_rtag)).getContent().getBytes());
            byte[] doFinal = this._challengeCipher.doFinal();
            this._challenge = generateChallengeString();
            XrootdBucketContainer buildCertReqResponse = buildCertReqResponse(doFinal, this._challenge, CRYPTO_MODE, this._dhSession.getEncodedDHMaterial().getBytes(), SUPPORTED_CIPHER_ALGORITHMS, SUPPORTED_DIGESTS, CertUtil.certToPEM(this._hostCertificate.getEncoded()));
            return new AuthenticationResponse(authenticationRequest, 4002, buildCertReqResponse.getSize(), PROTOCOL, 2001, buildCertReqResponse.getBuckets());
        } catch (InvalidKeyException e) {
            _logger.error("Configured host-key could not be used forsigning rtag: {}", e);
            throw new XrootdException(3012, "Internal error occured when trying to sign client authentication tag.");
        } catch (CertificateEncodingException e2) {
            _logger.error("Could not extract contents of server certificate: {}", e2);
            throw new XrootdException(3012, "Internal error occured when trying to send server certificate.");
        } catch (GeneralSecurityException e3) {
            _logger.error("Problems during signing of client authN tag (algorithm {}): {}", SERVER_ASYNC_CIPHER_MODE, e3);
            throw new XrootdException(3012, "Internal error occured when trying to sign client authentication tag.");
        }
    }

    private AbstractResponseMessage handleCertStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            Map buckets = authenticationRequest.getBuckets();
            byte[] content = ((RawBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_main)).getContent();
            this._dhSession.finaliseKeyAgreement(((StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_puk)).getContent());
            NestedBucketBuffer deserialize = NestedBucketBuffer.deserialize(XrootdSecurityProtocol.BucketType.kXRS_main, ChannelBuffers.wrappedBuffer(this._dhSession.decrypt(SERVER_SYNC_CIPHER_MODE, SERVER_SYNC_CIPHER_NAME, SERVER_SYNC_CIPHER_BLOCKSIZE, content)));
            List<X509Certificate> parseCerts = CertUtil.parseCerts(new StringReader(((XrootdBucket) deserialize.getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_x509)).getContent()));
            if (parseCerts.size() <= 1) {
                throw new IllegalArgumentException("Could not parse user certificate from input stream!");
            }
            X509Certificate x509Certificate = parseCerts.get(0);
            _logger.info("The proxy-cert has the subject {} and the issuer {}", x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN());
            X509Certificate[] x509CertificateArr = (X509Certificate[]) parseCerts.toArray(new X509Certificate[0]);
            this._subject.getPublicCredentials().add(x509CertificateArr);
            _proxyValidator.validate(x509CertificateArr, this._trustedCerts.getCertificates(), this._crls, this._trustedCerts.getSigningPolicies());
            this._challengeCipher.init(2, x509Certificate.getPublicKey());
            String str = new String(this._challengeCipher.doFinal(((XrootdBucket) deserialize.getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag)).getContent()), "ASCII");
            if (!this._challenge.equals(str)) {
                _logger.error("The challenge is {}, the serialized rTag is {}.signature of challenge tag has been proven wrong!!", this._challenge, str);
                throw new XrootdException(3006, "Client did not present correctchallenge response!");
            }
            _logger.debug("signature of challenge tag ok. Challenge: {}, rTagString: {}", this._challenge, str);
            this._finished = true;
            return new OkResponse(authenticationRequest);
        } catch (ProxyPathValidatorException e) {
            _logger.error("Could not validate certificate path of client certificate: {}", e);
            throw new XrootdException(3010, "Your certificate's issuer is not trusted.");
        } catch (IOException e2) {
            _logger.error("Could not deserialize main nested buffer {}", e2);
            throw new XrootdException(3007, "Could not decrypt encrypted client message.");
        } catch (InvalidKeyException e3) {
            _logger.error("The key negotiated by DH key exchange appears to be invalid: {}", e3);
            throw new XrootdException(3006, "Could not decrypt clientinformation with negotiated key.");
        } catch (InvalidKeySpecException e4) {
            _logger.error("DH key negotiation caused problems{}", e4);
            throw new XrootdException(3006, "Could not find key negotiation parameters.");
        } catch (GeneralSecurityException e5) {
            _logger.error("Error during decrypting/server-side key exchange: {}", e5);
            throw new XrootdException(3012, "Error in server-side cryptographic operations.");
        }
    }

    private XrootdBucketContainer buildCertReqResponse(byte[] bArr, String str, String str2, byte[] bArr2, String str3, String str4, String str5) {
        ArrayList arrayList = new ArrayList();
        RawBucket rawBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag, bArr);
        StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, str);
        EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
        enumMap.put((EnumMap) rawBucket.getType(), (XrootdSecurityProtocol.BucketType) rawBucket);
        enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
        NestedBucketBuffer nestedBucketBuffer = new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, PROTOCOL, 2001, enumMap);
        StringBucket stringBucket2 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, CRYPTO_MODE);
        int size = 0 + stringBucket2.getSize();
        arrayList.add(stringBucket2);
        int size2 = size + nestedBucketBuffer.getSize();
        arrayList.add(nestedBucketBuffer);
        RawBucket rawBucket2 = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_puk, bArr2);
        int size3 = size2 + rawBucket2.getSize();
        arrayList.add(rawBucket2);
        StringBucket stringBucket3 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, str3);
        int size4 = size3 + stringBucket3.getSize();
        arrayList.add(stringBucket3);
        StringBucket stringBucket4 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, str4);
        int size5 = size4 + stringBucket4.getSize();
        arrayList.add(stringBucket4);
        StringBucket stringBucket5 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_x509, str5);
        int size6 = size5 + stringBucket5.getSize();
        arrayList.add(stringBucket5);
        return new XrootdBucketContainer(arrayList, size6);
    }

    private String generateChallengeString() {
        String str;
        byte[] bArr = new byte[CHALLENGE_BYTES];
        for (int i = 0; i < CHALLENGE_BYTES; i++) {
            bArr[i] = (byte) _random.nextInt(127);
        }
        try {
            str = new String(bArr, "ASCII");
        } catch (UnsupportedEncodingException e) {
            str = new String(bArr);
        }
        return str;
    }

    public String getProtocol() {
        return "&P=gsi,v:10200,c:ssl,ca:" + CertUtil.computeMD5Hash(this._hostCertificate.getIssuerX500Principal());
    }

    public Subject getSubject() {
        return this._subject;
    }

    public boolean isCompleted() {
        return this._finished;
    }
}
