package org.dcache.xrootd.plugins.authn.gsi;

import com.google.common.base.Joiner;
import eu.emi.security.authn.x509.helpers.trust.OpensslTruststoreHelper;
import eu.emi.security.authn.x509.proxy.ProxyCertificate;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import io.netty.channel.ChannelHandler;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Properties;
import org.dcache.xrootd.plugins.ChannelHandlerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationFactory.class */
public class GSIClientAuthenticationFactory extends BaseGSIAuthenticationFactory implements ChannelHandlerFactory {
    private String hostCredIssuerHashes;
    private ProxyCertificate proxy;

    public GSIClientAuthenticationFactory(Properties properties) {
        super(properties);
    }

    public ChannelHandler createHandler() {
        try {
            loadServerCredentials();
            return new GSIClientAuthenticationHandler(this.proxy.getCredential(), this.validator, this.caCertificatePath, this.hostCredIssuerHashes);
        } catch (IOException e) {
            throw new RuntimeException("Could not read certificates/key from file-system", e);
        } catch (GeneralSecurityException e2) {
            throw new RuntimeException("Could not load certificates/key due to security error", e2);
        }
    }

    public String getDescription() {
        return "GSI authentication client plugin for third-party transfers";
    }

    public String getName() {
        return BaseGSIAuthenticationHandler.PROTOCOL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.dcache.xrootd.plugins.authn.gsi.BaseGSIAuthenticationFactory
    public synchronized void loadServerCredentials() throws CertificateException, KeyStoreException, IOException {
        super.loadServerCredentials();
        try {
            this.proxy = ProxyGenerator.generate(new ProxyCertificateOptions(this.hostCredential.getCertificateChain()), this.hostCredential.getKey());
            this.hostCredIssuerHashes = getHostCredIssuerHashes();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new CertificateException("could not generate host proxy credential.", e);
        }
    }

    private String getHostCredIssuerHashes() {
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : this.proxy.getCertificateChain()) {
            hashSet.add(OpensslTruststoreHelper.getOpenSSLCAHash(x509Certificate.getIssuerX500Principal(), true));
        }
        return Joiner.on("|").join(hashSet);
    }
}
