package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import io.netty.buffer.Unpooled;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.AuthenticationHandler;
import org.dcache.xrootd.plugins.authn.gsi.BaseGSIAuthenticationHandler;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.AuthenticationResponse;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.protocol.messages.XrootdResponse;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIAuthenticationHandler.class */
public class GSIAuthenticationHandler extends BaseGSIAuthenticationHandler implements AuthenticationHandler {
    private final Subject subject;
    private String challenge;
    private Cipher challengeCipher;
    private DHSession dhSession;
    private boolean finished;

    public GSIAuthenticationHandler(X509Credential x509Credential, X509CertChainValidator x509CertChainValidator, String str) {
        super(x509Credential, x509CertChainValidator, str);
        this.challenge = "";
        this.finished = false;
        this.subject = new Subject();
    }

    public XrootdResponse<AuthenticationRequest> authenticate(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            if (this.dhSession == null) {
                this.dhSession = new DHSession(true);
            }
            if (!BaseGSIAuthenticationHandler.PROTOCOL.equalsIgnoreCase(authenticationRequest.getProtocol())) {
                throw new XrootdException(3006, "Specified Protocol " + authenticationRequest.getProtocol() + " is not the protocol that was negotiated.");
            }
            switch (authenticationRequest.getStep()) {
                case 0:
                    return new OkResponse(authenticationRequest);
                case 1000:
                    return handleCertReqStep(authenticationRequest);
                case 1001:
                    return handleCertStep(authenticationRequest);
                default:
                    throw new XrootdException(3006, "Error during authentication, unknown processing step: " + authenticationRequest.getStep());
            }
        } catch (GeneralSecurityException e) {
            LOGGER.error("Error setting up cryptographic classes: {}", e.getMessage());
            throw new XrootdException(3012, "Server probably misconfigured.");
        }
    }

    private XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            this.challengeCipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", "BC");
            this.challengeCipher.init(1, this.credential.getKey());
            this.challengeCipher.update(((StringBucket) ((NestedBucketBuffer) authenticationRequest.getBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_main)).getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_rtag)).getContent().getBytes());
            byte[] doFinal = this.challengeCipher.doFinal();
            this.challenge = generateChallengeString();
            byte[] bytes = this.dhSession.getEncodedDHMaterial().getBytes();
            this.credential.getCertificate().getEncoded();
            BaseGSIAuthenticationHandler.XrootdBucketContainer buildCertReqResponse = buildCertReqResponse(doFinal, this.challenge, BaseGSIAuthenticationHandler.CRYPTO_MODE, bytes, BaseGSIAuthenticationHandler.SUPPORTED_CIPHER_ALGORITHMS, BaseGSIAuthenticationHandler.SUPPORTED_DIGESTS, CertUtil.certToPEM(this.credential.getCertificate()));
            return new AuthenticationResponse(authenticationRequest, 4002, buildCertReqResponse.getSize(), BaseGSIAuthenticationHandler.PROTOCOL, 2001, buildCertReqResponse.getBuckets());
        } catch (IOException | GeneralSecurityException e) {
            LOGGER.error("Problems during signing of client authN tag (algorithm {}): {}", "RSA/NONE/PKCS1Padding", e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3012, "Internal error occurred when trying to sign client authentication tag.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("Configured host-key could not be used forsigning rtag: {}", e2.getMessage());
            throw new XrootdException(3012, "Internal error occurred when trying to sign client authentication tag.");
        } catch (CertificateEncodingException e3) {
            LOGGER.error("Could not extract contents of server certificate: {}", e3.getMessage());
            throw new XrootdException(3012, "Internal error occurred when trying to send server certificate.");
        }
    }

    private XrootdResponse<AuthenticationRequest> handleCertStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            Map buckets = authenticationRequest.getBuckets();
            byte[] content = ((RawBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_main)).getContent();
            this.dhSession.finaliseKeyAgreement(((StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_puk)).getContent());
            NestedBucketBuffer deserialize = NestedBucketBuffer.deserialize(XrootdSecurityProtocol.BucketType.kXRS_main, Unpooled.wrappedBuffer(this.dhSession.decrypt("AES/CBC/PKCS5Padding", "AES", 16, content)));
            X509Certificate[] loadCertificateChain = CertificateUtils.loadCertificateChain(new ByteArrayInputStream(((XrootdBucket) deserialize.getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_x509)).getContent().getBytes(StandardCharsets.US_ASCII)), CertificateUtils.Encoding.PEM);
            if (loadCertificateChain.length == 0) {
                throw new IllegalArgumentException("Could not parse user certificate from input stream!");
            }
            X509Certificate x509Certificate = loadCertificateChain[0];
            LOGGER.info("The proxy-cert has the subject {} and the issuer {}", x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN());
            this.validator.validate(loadCertificateChain);
            this.subject.getPublicCredentials().add(loadCertificateChain);
            this.challengeCipher.init(2, x509Certificate.getPublicKey());
            String str = new String(this.challengeCipher.doFinal(((XrootdBucket) deserialize.getNestedBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag)).getContent()), StandardCharsets.US_ASCII);
            if (!this.challenge.equals(str)) {
                LOGGER.error("The challenge is {}, the serialized rTag is {}.signature of challenge tag has been proven wrong!!", this.challenge, str);
                throw new XrootdException(3006, "Client did not present correctchallenge response!");
            }
            LOGGER.trace("signature of challenge tag ok. Challenge: {}, rTagString: {}", this.challenge, str);
            this.finished = true;
            return new OkResponse(authenticationRequest);
        } catch (IOException e) {
            LOGGER.error("Could not deserialize main nested buffer {}", e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3007, "Could not decrypt encrypted client message.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt clientinformation with negotiated key.");
        } catch (InvalidKeySpecException e3) {
            LOGGER.error("DH key negotiation caused problems {}", e3.getMessage());
            throw new XrootdException(3006, "Could not find key negotiation parameters.");
        } catch (GeneralSecurityException e4) {
            LOGGER.error("Error during decrypting/server-side key exchange: {}", e4.getMessage());
            throw new XrootdException(3012, "Error in server-side cryptographic operations.");
        }
    }

    private BaseGSIAuthenticationHandler.XrootdBucketContainer buildCertReqResponse(byte[] bArr, String str, String str2, byte[] bArr2, String str3, String str4, String str5) {
        ArrayList arrayList = new ArrayList();
        RawBucket rawBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag, bArr);
        StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, str);
        EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
        enumMap.put((EnumMap) rawBucket.getType(), (XrootdSecurityProtocol.BucketType) rawBucket);
        enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
        NestedBucketBuffer nestedBucketBuffer = new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, BaseGSIAuthenticationHandler.PROTOCOL, 2001, enumMap);
        StringBucket stringBucket2 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, BaseGSIAuthenticationHandler.CRYPTO_MODE);
        int size = 0 + stringBucket2.getSize();
        arrayList.add(stringBucket2);
        int size2 = size + nestedBucketBuffer.getSize();
        arrayList.add(nestedBucketBuffer);
        RawBucket rawBucket2 = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_puk, bArr2);
        int size3 = size2 + rawBucket2.getSize();
        arrayList.add(rawBucket2);
        StringBucket stringBucket3 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, str3);
        int size4 = size3 + stringBucket3.getSize();
        arrayList.add(stringBucket3);
        StringBucket stringBucket4 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, str4);
        int size5 = size4 + stringBucket4.getSize();
        arrayList.add(stringBucket4);
        StringBucket stringBucket5 = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_x509, str5);
        int size6 = size5 + stringBucket5.getSize();
        arrayList.add(stringBucket5);
        return new BaseGSIAuthenticationHandler.XrootdBucketContainer(arrayList, size6);
    }

    public String getProtocol() {
        return "&P=gsi,v:10200,c:ssl,ca:" + CertUtil.computeMD5Hash(this.credential.getCertificate().getIssuerX500Principal());
    }

    public Subject getSubject() {
        return this.subject;
    }

    public boolean isCompleted() {
        return this.finished;
    }
}
