package org.dcache.xrootd.plugins.authn.gsi;

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMReader;
import org.dcache.xrootd.plugins.AuthenticationFactory;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.plugins.InvalidHandlerConfigurationException;
import org.globus.gsi.CertificateRevocationLists;
import org.globus.gsi.TrustedCertificates;
import org.globus.gsi.proxy.ProxyPathValidator;
import org.globus.gsi.proxy.ProxyPathValidatorException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationFactory.class */
public class GSIAuthenticationFactory implements AuthenticationFactory {
    private static final Logger _logger = LoggerFactory.getLogger(GSIAuthenticationFactory.class);
    private final String _hostCertificatePath;
    private final String _hostKeyPath;
    private final String _caCertificatePath;
    private X509Certificate _hostCertificate;
    private PrivateKey _hostKey;
    private TrustedCertificates _trustedCerts;
    private final long _hostCertRefreshInterval;
    private final long _trustAnchorRefreshInterval;
    private long _hostCertRefreshTimestamp = 0;
    private long _trustAnchorRefreshTimestamp = 0;
    private final ProxyPathValidator _proxyValidator = new ProxyPathValidator();
    private final boolean _verifyHostCertificate;

    public GSIAuthenticationFactory(Properties properties) {
        this._hostKeyPath = properties.getProperty("xrootd.gsi.hostcert.key");
        this._hostCertificatePath = properties.getProperty("xrootd.gsi.hostcert.cert");
        this._hostCertRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.hostcert.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.hostcert.refresh")));
        this._verifyHostCertificate = Boolean.parseBoolean(properties.getProperty("xrootd.gsi.hostcert.verify"));
        this._caCertificatePath = properties.getProperty("xrootd.gsi.ca.path");
        this._trustAnchorRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.ca.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.ca.refresh")));
    }

    public AuthenticationHandler createHandler() throws InvalidHandlerConfigurationException {
        CertificateRevocationLists defaultCertificateRevocationLists = CertificateRevocationLists.getDefaultCertificateRevocationLists();
        try {
            loadTrustAnchors();
            loadServerCredentials(defaultCertificateRevocationLists);
            return new GSIAuthenticationHandler(this._hostCertificate, this._hostKey, this._trustedCerts, defaultCertificateRevocationLists);
        } catch (IOException e) {
            throw new InvalidHandlerConfigurationException("Could not read certificates/key from file-system", e);
        } catch (ProxyPathValidatorException e2) {
            throw new InvalidHandlerConfigurationException("Could not verify server certificate chain", e2);
        } catch (GeneralSecurityException e3) {
            throw new InvalidHandlerConfigurationException("Could not load certificates/key due to security error", e3);
        }
    }

    private synchronized void loadTrustAnchors() {
        long currentTimeMillis = System.currentTimeMillis() - this._trustAnchorRefreshTimestamp;
        if (this._trustedCerts == null || currentTimeMillis >= this._trustAnchorRefreshInterval) {
            _logger.info("CA certificate directory: {}", this._caCertificatePath);
            this._trustedCerts = TrustedCertificates.load(this._caCertificatePath);
            this._trustAnchorRefreshTimestamp = System.currentTimeMillis();
        }
    }

    private synchronized void loadServerCredentials(CertificateRevocationLists certificateRevocationLists) throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, ProxyPathValidatorException, NoSuchProviderException {
        long currentTimeMillis = System.currentTimeMillis() - this._hostCertRefreshTimestamp;
        if (this._hostCertificate == null || this._hostKey == null || currentTimeMillis >= this._hostCertRefreshInterval) {
            _logger.info("Time since last server cert refresh {}", Long.valueOf(currentTimeMillis));
            _logger.info("Loading server certificates. Current refresh interval: {} ms", Long.valueOf(this._hostCertRefreshInterval));
            loadHostCertificate();
            loadHostKey();
            if (this._verifyHostCertificate) {
                _logger.info("Verifying host certificate");
                verifyHostCertificate(certificateRevocationLists);
            }
            this._hostCertRefreshTimestamp = System.currentTimeMillis();
        }
    }

    private void loadHostCertificate() throws CertificateException, IOException, NoSuchProviderException {
        FileInputStream fileInputStream = new FileInputStream(this._hostCertificatePath);
        Throwable th = null;
        try {
            this._hostCertificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(fileInputStream);
            if (fileInputStream != null) {
                if (0 == 0) {
                    fileInputStream.close();
                    return;
                }
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    private void loadHostKey() throws NoSuchAlgorithmException, IOException, InvalidKeySpecException {
        this._hostKey = ((KeyPair) new PEMReader(new BufferedReader(new FileReader(this._hostKeyPath))).readObject()).getPrivate();
    }

    private void verifyHostCertificate(CertificateRevocationLists certificateRevocationLists) throws ProxyPathValidatorException {
        this._proxyValidator.validate(new X509Certificate[]{this._hostCertificate}, this._trustedCerts.getCertificates(), certificateRevocationLists, this._trustedCerts.getSigningPolicies());
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
