package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelId;
import io.netty.channel.ChannelInboundHandler;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.BaseGSIAuthenticationHandler;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.dcache.xrootd.tpc.AbstractClientRequestHandler;
import org.dcache.xrootd.tpc.XrootdTpcClient;
import org.dcache.xrootd.tpc.XrootdTpcInfo;
import org.dcache.xrootd.tpc.protocol.messages.AbstractXrootdInboundResponse;
import org.dcache.xrootd.tpc.protocol.messages.InboundAttnResponse;
import org.dcache.xrootd.tpc.protocol.messages.InboundAuthenticationResponse;
import org.dcache.xrootd.tpc.protocol.messages.InboundLoginResponse;
import org.dcache.xrootd.tpc.protocol.messages.OutboundAuthenticationRequest;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler.class */
public class GSIClientAuthenticationHandler extends AbstractClientRequestHandler implements ChannelInboundHandler {
    private BaseGSIAuthenticationHandler handler;
    private String issuerHashes;

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler$BucketContainerBuilder.class */
    interface BucketContainerBuilder {
        BaseGSIAuthenticationHandler.XrootdBucketContainer buildContainer();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler$InboundResponseBuckets.class */
    public class InboundResponseBuckets {
        private String srcHost;
        private byte[] signedChallenge;
        private byte[] puk;
        private String hostProxyCert;
        private String selectedCipher;
        private String selectedDigest;
        private RawBucket signedRTagBucket;
        private StringBucket randomTagBucket;
        private StringBucket dhPublicBucket;
        private StringBucket cipherBucket;
        private StringBucket digestBucket;
        private StringBucket serverX509Bucket;
        private X509Certificate serverCert;
        private DHSession session;
        private String rtag;
        private Cipher challengeCipher;

        InboundResponseBuckets(InboundAuthenticationResponse inboundAuthenticationResponse, XrootdTpcClient xrootdTpcClient) throws GeneralSecurityException {
            this.srcHost = xrootdTpcClient.getInfo().getSrcHost();
            this.rtag = (String) xrootdTpcClient.getAuthnContext().get("rtag");
            if (!inboundAuthenticationResponse.getProtocol().equals(BaseGSIAuthenticationHandler.PROTOCOL)) {
                throw new GeneralSecurityException("server replied with incorrect protocol: " + inboundAuthenticationResponse.getProtocol());
            }
            if (inboundAuthenticationResponse.getServerStep() != 2001) {
                throw new GeneralSecurityException("server replied with incorrect step: " + inboundAuthenticationResponse.getServerStep());
            }
            Map buckets = inboundAuthenticationResponse.getBuckets();
            this.dhPublicBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_puk);
            this.cipherBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg);
            this.digestBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_md_alg);
            this.serverX509Bucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_x509);
            this.signedRTagBucket = (RawBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag);
            this.randomTagBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_rtag);
        }

        void finalizeDHSessionKey() throws IOException, GeneralSecurityException, XrootdException {
            this.session = new DHSession(false);
            this.session.finaliseKeyAgreement(this.dhPublicBucket.getContent());
            this.puk = this.session.getEncodedDHMaterial().getBytes();
        }

        void encodeHostCerts() throws CertificateEncodingException {
            StringBuilder sb = new StringBuilder();
            for (X509Certificate x509Certificate : GSIClientAuthenticationHandler.this.handler.hostCredential.getCertificateChain()) {
                x509Certificate.getEncoded();
                sb.append(CertUtil.certToPEM(x509Certificate));
            }
            this.hostProxyCert = sb.toString();
        }

        void signChallenge() throws InvalidKeyException, BadPaddingException, IllegalBlockSizeException, IOException {
            this.challengeCipher.init(1, GSIClientAuthenticationHandler.this.handler.hostCredential.getKey());
            this.challengeCipher.update(this.randomTagBucket.getContent().getBytes());
            this.signedChallenge = this.challengeCipher.doFinal();
        }

        void validateCertificate() throws IOException, GeneralSecurityException {
            X509Certificate[] loadCertificateChain = CertificateUtils.loadCertificateChain(new ByteArrayInputStream(this.serverX509Bucket.getContent().getBytes(StandardCharsets.US_ASCII)), CertificateUtils.Encoding.PEM);
            if (loadCertificateChain.length == 0) {
                throw new IllegalArgumentException("Could not parse server certificate from input stream!");
            }
            this.serverCert = loadCertificateChain[0];
            GSIClientAuthenticationHandler.this.handler.validator.validate(loadCertificateChain);
            if (!this.serverCert.getSubjectDN().getName().contains(this.srcHost) && !BaseGSIAuthenticationHandler.CERT_CHECKER.checkMatching(this.srcHost, this.serverCert)) {
                throw new GeneralSecurityException("The name of the source server does not match any subject name of the received credential.");
            }
        }

        void validateCiphers() throws XrootdException {
            String[] split = this.cipherBucket.getContent().split("[:]");
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = split[i];
                if (BaseGSIAuthenticationHandler.SUPPORTED_CIPHER_ALGORITHMS.contains(str)) {
                    this.selectedCipher = str;
                    break;
                }
                i++;
            }
            if (this.selectedCipher == null) {
                throw new XrootdException(4003, "all server ciphers are unsupported: " + this.cipherBucket.getContent());
            }
        }

        void validateDigests() throws XrootdException {
            String[] split = this.digestBucket.getContent().split("[:]");
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = split[i];
                if (BaseGSIAuthenticationHandler.SUPPORTED_DIGESTS.contains(str)) {
                    this.selectedDigest = str;
                    break;
                }
                i++;
            }
            if (this.selectedDigest == null) {
                throw new XrootdException(4003, "all server digests are unsupported: " + this.digestBucket.getContent());
            }
        }

        void validateSignedChallenge() throws XrootdException, InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, BadPaddingException, IllegalBlockSizeException {
            this.challengeCipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", "BC");
            this.challengeCipher.init(2, this.serverCert.getPublicKey());
            String str = new String(this.challengeCipher.doFinal(this.signedRTagBucket.getContent()), StandardCharsets.US_ASCII);
            if (this.rtag.equals(str)) {
                GSIClientAuthenticationHandler.LOGGER.trace("signature of challenge tag ok. Challenge: {}, rTagString: {}", this.rtag, str);
            } else {
                GSIClientAuthenticationHandler.LOGGER.error("The challenge is {}, the serialized rTag is {}.signature of challenge tag has been proven wrong!!", this.rtag, str);
                throw new XrootdException(3006, "Client did not present correct challenge response!");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler$OutboundRequestBuckets.class */
    public class OutboundRequestBuckets implements BucketContainerBuilder {
        private StringBucket cryptoBucket;
        private StringBucket versionBucket;
        private StringBucket issuerBucket;
        private NestedBucketBuffer mainBucket;

        OutboundRequestBuckets(String str) throws XrootdException {
            EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
            StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, str);
            enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
            this.mainBucket = new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, BaseGSIAuthenticationHandler.PROTOCOL, 1000, enumMap);
            this.cryptoBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, BaseGSIAuthenticationHandler.CRYPTO_MODE);
            this.versionBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_version, BaseGSIAuthenticationHandler.PROTOCOL_VERSION.substring(0, 4));
            this.issuerBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_issuer_hash, GSIClientAuthenticationHandler.this.issuerHashes);
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientAuthenticationHandler.BucketContainerBuilder
        public BaseGSIAuthenticationHandler.XrootdBucketContainer buildContainer() {
            return GSIClientAuthenticationHandler.build(this.cryptoBucket, this.versionBucket, this.issuerBucket, this.mainBucket);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationHandler$OutboundResponseBuckets.class */
    public class OutboundResponseBuckets implements BucketContainerBuilder {
        RawBucket encryptedBucket;
        RawBucket pukBucket;
        StringBucket cipherBucket;
        StringBucket digestBucket;

        OutboundResponseBuckets(InboundResponseBuckets inboundResponseBuckets, ChannelHandlerContext channelHandlerContext) throws NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, NoSuchProviderException, InvalidKeyException {
            this.pukBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_puk, inboundResponseBuckets.puk);
            this.cipherBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, inboundResponseBuckets.selectedCipher);
            this.digestBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, inboundResponseBuckets.selectedDigest);
            StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_x509, inboundResponseBuckets.hostProxyCert);
            RawBucket rawBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag, inboundResponseBuckets.signedChallenge);
            ByteBuf buffer = channelHandlerContext.alloc().buffer();
            byte[] bytes = BaseGSIAuthenticationHandler.PROTOCOL.getBytes(StandardCharsets.US_ASCII);
            buffer.writeBytes(bytes);
            buffer.writeZero(4 - bytes.length);
            buffer.writeInt(1001);
            rawBucket.serialize(buffer);
            stringBucket.serialize(buffer);
            buffer.writeInt(XrootdSecurityProtocol.BucketType.kXRS_none.getCode());
            byte[] bArr = new byte[buffer.readableBytes()];
            buffer.getBytes(0, bArr);
            buffer.release();
            this.encryptedBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_main, inboundResponseBuckets.session.encrypt("AES/CBC/PKCS5Padding", "AES", 16, bArr));
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientAuthenticationHandler.BucketContainerBuilder
        public BaseGSIAuthenticationHandler.XrootdBucketContainer buildContainer() {
            return GSIClientAuthenticationHandler.build(this.encryptedBucket, this.cipherBucket, this.digestBucket, this.pukBucket);
        }
    }

    static BaseGSIAuthenticationHandler.XrootdBucketContainer build(XrootdBucket... xrootdBucketArr) {
        int i = 0;
        ArrayList arrayList = new ArrayList();
        for (XrootdBucket xrootdBucket : xrootdBucketArr) {
            arrayList.add(xrootdBucket);
            i += xrootdBucket.getSize();
        }
        return new BaseGSIAuthenticationHandler.XrootdBucketContainer(arrayList, i);
    }

    public GSIClientAuthenticationHandler(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator, String str, String str2) {
        this.handler = new BaseGSIAuthenticationHandler(x509Credential, x509CertChainValidator, str);
        this.issuerHashes = str2;
    }

    protected void doOnAsynResponse(ChannelHandlerContext channelHandlerContext, InboundAttnResponse inboundAttnResponse) {
        switch (inboundAttnResponse.getRequestId()) {
            case 3000:
                try {
                    sendAuthenticationRequest(channelHandlerContext);
                    return;
                } catch (XrootdException e) {
                    exceptionCaught(channelHandlerContext, e);
                    return;
                }
            default:
                super.doOnAsynResponse(channelHandlerContext, inboundAttnResponse);
                return;
        }
    }

    protected void doOnAuthenticationResponse(ChannelHandlerContext channelHandlerContext, InboundAuthenticationResponse inboundAuthenticationResponse) {
        ChannelId id = channelHandlerContext.channel().id();
        int status = inboundAuthenticationResponse.getStatus();
        int streamId = this.client.getStreamId();
        XrootdTpcInfo info = this.client.getInfo();
        switch (status) {
            case 0:
                LOGGER.trace("Authentication to {}, channel {}, stream {}, sessionId {} succeeded; passing to next handler.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
                channelHandlerContext.fireChannelRead(inboundAuthenticationResponse);
                return;
            case 4002:
                LOGGER.trace("Authentication to {}, channel {}, stream {}, sessionId {}, proceeding to next step.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
                try {
                    this.client.setAuthResponse(inboundAuthenticationResponse);
                    sendAuthenticationRequest(channelHandlerContext);
                    return;
                } catch (XrootdException e) {
                    exceptionCaught(channelHandlerContext, e);
                    return;
                }
            default:
                exceptionCaught(channelHandlerContext, new RuntimeException("wrong status from authentication response: " + status));
                return;
        }
    }

    protected void doOnLoginResponse(ChannelHandlerContext channelHandlerContext, InboundLoginResponse inboundLoginResponse) {
        ChannelId id = channelHandlerContext.channel().id();
        String sec = inboundLoginResponse.getSec();
        int streamId = this.client.getStreamId();
        XrootdTpcInfo info = this.client.getInfo();
        if (sec == null) {
            LOGGER.trace("login to {}, channel {}, stream {}, session {}, does not require authentication; passing to next handler in chain.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
            channelHandlerContext.fireChannelRead(inboundLoginResponse);
            return;
        }
        try {
            if (isGsiRequired(sec)) {
                parseSec(sec);
                sendAuthenticationRequest(channelHandlerContext);
            } else {
                LOGGER.trace("login to {}, channel {}, stream {}, session {}, requires a different protocol; passing to next handler in chain.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId), this.client.getSessionId()});
                channelHandlerContext.fireChannelRead(inboundLoginResponse);
            }
        } catch (XrootdException e) {
            exceptionCaught(channelHandlerContext, e);
        }
    }

    protected void doOnWaitResponse(final ChannelHandlerContext channelHandlerContext, AbstractXrootdInboundResponse abstractXrootdInboundResponse) {
        switch (abstractXrootdInboundResponse.getRequestId()) {
            case 3000:
                this.client.getExecutor().schedule(new Runnable() { // from class: org.dcache.xrootd.plugins.authn.gsi.GSIClientAuthenticationHandler.1
                    @Override // java.lang.Runnable
                    public void run() {
                        try {
                            GSIClientAuthenticationHandler.this.sendAuthenticationRequest(channelHandlerContext);
                        } catch (XrootdException e) {
                            GSIClientAuthenticationHandler.this.exceptionCaught(channelHandlerContext, e);
                        }
                    }
                }, getWaitInSeconds(abstractXrootdInboundResponse), TimeUnit.SECONDS);
                return;
            default:
                channelHandlerContext.fireChannelRead(abstractXrootdInboundResponse);
                return;
        }
    }

    protected void sendAuthenticationRequest(ChannelHandlerContext channelHandlerContext) throws XrootdException {
        OutboundAuthenticationRequest handleCertReqStep;
        ChannelId id = channelHandlerContext.channel().id();
        int streamId = this.client.getStreamId();
        XrootdTpcInfo info = this.client.getInfo();
        InboundAuthenticationResponse authResponse = this.client.getAuthResponse();
        if (authResponse != null) {
            handleCertReqStep = handleCertStep(authResponse, channelHandlerContext);
            LOGGER.trace("sendAuthenticationRequest to {}, channel {}, stream {}, step: cert.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId)});
        } else {
            handleCertReqStep = handleCertReqStep();
            LOGGER.trace("sendAuthenticationRequest to {}, channel {}, stream {}, step: cert request.", new Object[]{info.getSrc(), id, Integer.valueOf(streamId)});
        }
        this.client.setExpectedResponse(3000);
        this.client.setAuthResponse((InboundAuthenticationResponse) null);
        channelHandlerContext.writeAndFlush(handleCertReqStep, channelHandlerContext.newPromise()).addListener(ChannelFutureListener.FIRE_EXCEPTION_ON_FAILURE);
    }

    private OutboundAuthenticationRequest handleCertReqStep() throws XrootdException {
        String str = (String) this.client.getAuthnContext().get("encryption");
        if (!str.equalsIgnoreCase(BaseGSIAuthenticationHandler.CRYPTO_MODE)) {
            throw new XrootdException(4003, "handler does not support " + str);
        }
        this.handler.checkCaIdentities((String[]) this.client.getAuthnContext().get("caIdentities"));
        this.handler.checkVersion((String) this.client.getAuthnContext().get("version"));
        String generateChallengeString = this.handler.generateChallengeString();
        this.client.getAuthnContext().put("rtag", generateChallengeString);
        BaseGSIAuthenticationHandler.XrootdBucketContainer buildContainer = new OutboundRequestBuckets(generateChallengeString).buildContainer();
        return new OutboundAuthenticationRequest(this.client.getStreamId(), buildContainer.getSize(), BaseGSIAuthenticationHandler.PROTOCOL, 1000, buildContainer.getBuckets());
    }

    private OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        try {
            InboundResponseBuckets inboundResponseBuckets = new InboundResponseBuckets(inboundAuthenticationResponse, this.client);
            inboundResponseBuckets.validateCiphers();
            inboundResponseBuckets.validateDigests();
            inboundResponseBuckets.validateCertificate();
            inboundResponseBuckets.validateSignedChallenge();
            inboundResponseBuckets.signChallenge();
            inboundResponseBuckets.encodeHostCerts();
            inboundResponseBuckets.finalizeDHSessionKey();
            this.client.setSigverRequestHandler(new GSISigverRequestHandler(new DHEncrypter(inboundResponseBuckets.session, "AES/CBC/PKCS5Padding", "AES", 16), this.client));
            BaseGSIAuthenticationHandler.XrootdBucketContainer buildContainer = new OutboundResponseBuckets(inboundResponseBuckets, channelHandlerContext).buildContainer();
            return new OutboundAuthenticationRequest(inboundAuthenticationResponse.getStreamId(), buildContainer.getSize(), BaseGSIAuthenticationHandler.PROTOCOL, 1001, buildContainer.getBuckets());
        } catch (IOException e) {
            LOGGER.error(new StringBuilder().append("Problems during cert step {}.").append(e.getMessage()).toString() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3012, "Internal error occurred during cert step.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt server information with negotiated key.");
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Cryptographic issues encountered during cert step: {}", e3.getMessage());
            throw new XrootdException(3012, "Could not complete cert step: an error occurred during cryptographic operations.");
        }
    }

    private boolean isGsiRequired(String str) throws XrootdException {
        if (str.startsWith("&P=")) {
            return BaseGSIAuthenticationHandler.PROTOCOL.equals(str.substring(3, str.indexOf(",")));
        }
        throw new XrootdException(4003, "Malformed 'sec': " + str);
    }

    /* JADX WARN: Removed duplicated region for block: B:21:0x00dc  */
    /* JADX WARN: Removed duplicated region for block: B:24:0x00f2  */
    /* JADX WARN: Removed duplicated region for block: B:26:0x0108  */
    /* JADX WARN: Removed duplicated region for block: B:28:0x0120 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void parseSec(java.lang.String r7) throws org.dcache.xrootd.core.XrootdException {
        /*
            Method dump skipped, instructions count: 295
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.dcache.xrootd.plugins.authn.gsi.GSIClientAuthenticationHandler.parseSec(java.lang.String):void");
    }
}
