package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.ProxySupport;
import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import org.dcache.xrootd.plugins.AuthenticationFactory;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.plugins.InvalidHandlerConfigurationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationFactory.class */
public class GSIAuthenticationFactory implements AuthenticationFactory {
    private static final Logger _logger = LoggerFactory.getLogger(GSIAuthenticationFactory.class);
    private final String _hostCertificatePath;
    private final String _hostKeyPath;
    private final String _caCertificatePath;
    private final X509CertChainValidator _validator;
    private final long _hostCertRefreshInterval;
    private final long _trustAnchorRefreshInterval;
    private long _hostCertRefreshTimestamp = 0;
    private final boolean _verifyHostCertificate;
    private PEMCredential _hostCredential;

    public GSIAuthenticationFactory(Properties properties) {
        this._hostKeyPath = properties.getProperty("xrootd.gsi.hostcert.key");
        this._hostCertificatePath = properties.getProperty("xrootd.gsi.hostcert.cert");
        this._hostCertRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.hostcert.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.hostcert.refresh")));
        this._verifyHostCertificate = Boolean.parseBoolean(properties.getProperty("xrootd.gsi.hostcert.verify"));
        this._caCertificatePath = properties.getProperty("xrootd.gsi.ca.path");
        this._trustAnchorRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.ca.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.ca.refresh")));
        this._validator = new OpensslCertChainValidator(this._caCertificatePath, false, NamespaceCheckingMode.valueOf(properties.getProperty("xrootd.gsi.ca.namespace-mode")), this._trustAnchorRefreshInterval, new ValidatorParams(new RevocationParameters(CrlCheckingMode.valueOf(properties.getProperty("xrootd.gsi.ca.crl-mode")), new OCSPParametes(OCSPCheckingMode.valueOf(properties.getProperty("xrootd.gsi.ca.ocsp-mode")))), ProxySupport.ALLOW), false);
    }

    public AuthenticationHandler createHandler() throws InvalidHandlerConfigurationException {
        try {
            loadServerCredentials();
            return new GSIAuthenticationHandler(this._hostCredential, this._validator);
        } catch (IOException e) {
            throw new InvalidHandlerConfigurationException("Could not read certificates/key from file-system", e);
        } catch (GeneralSecurityException e2) {
            throw new InvalidHandlerConfigurationException("Could not load certificates/key due to security error", e2);
        }
    }

    private synchronized void loadServerCredentials() throws CertificateException, KeyStoreException, IOException {
        long currentTimeMillis = System.currentTimeMillis() - this._hostCertRefreshTimestamp;
        if (this._hostCredential == null || currentTimeMillis >= this._hostCertRefreshInterval) {
            _logger.info("Time since last server cert refresh {}", Long.valueOf(currentTimeMillis));
            _logger.info("Loading server certificates. Current refresh interval: {} ms", Long.valueOf(this._hostCertRefreshInterval));
            PEMCredential pEMCredential = new PEMCredential(this._hostKeyPath, this._hostCertificatePath, (char[]) null);
            if (this._verifyHostCertificate) {
                _logger.info("Verifying host certificate");
                this._validator.validate(pEMCredential.getCertificateChain());
            }
            this._hostCredential = pEMCredential;
            this._hostCertRefreshTimestamp = System.currentTimeMillis();
        }
    }
}
