package org.dcache.xrootd.plugins.authn.gsi;

import com.google.common.base.Joiner;
import com.google.common.base.Strings;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.trust.OpensslTruststoreHelper;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import io.netty.channel.ChannelHandler;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import org.dcache.xrootd.plugins.ChannelHandlerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientAuthenticationFactory.class */
public class GSIClientAuthenticationFactory extends BaseGSIAuthenticationFactory implements ChannelHandlerFactory {
    private final String clientCertificatePath;
    private final String clientKeyPath;
    private final long proxyRefreshInterval;
    private final boolean verifyClientCertificate;
    private PEMCredential clientCredential;
    private long proxyRefreshTimestamp;
    private String clientCredIssuerHashes;
    private String proxyPath;
    private X509Credential proxy;

    public GSIClientAuthenticationFactory(Properties properties) {
        super(properties);
        this.proxyRefreshTimestamp = 0L;
        this.clientKeyPath = properties.getProperty("xrootd.gsi.tpc.cred.key");
        this.clientCertificatePath = properties.getProperty("xrootd.gsi.tpc.cred.cert");
        this.proxyRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.tpc.cred.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.tpc.cred.refresh")));
        this.verifyClientCertificate = Boolean.parseBoolean(properties.getProperty("xrootd.gsi.tpc.cred.verify"));
        this.proxyPath = properties.getProperty("xrootd.gsi.tpc.proxy.path");
    }

    public ChannelHandler createHandler() {
        loadClientCredentials();
        return new GSIClientAuthenticationHandler(this.proxy, this.validator, this.caCertificatePath, this.clientCredIssuerHashes);
    }

    public String getDescription() {
        return "GSI authentication client plugin for third-party transfers";
    }

    public String getName() {
        return BaseGSIAuthenticationHandler.PROTOCOL;
    }

    private synchronized void loadClientCredentials() {
        try {
            if (shouldRefreshClientProxyCredential()) {
                LOGGER.info("Refreshing proxy credential. Current refresh interval: {} ms", Long.valueOf(this.proxyRefreshInterval));
                if (Strings.isNullOrEmpty(this.proxyPath)) {
                    this.clientCredential = new PEMCredential(this.clientKeyPath, this.clientCertificatePath, (char[]) null);
                    if (this.verifyClientCertificate) {
                        LOGGER.info("Verifying client certificate");
                        this.validator.validate(this.clientCredential.getCertificateChain());
                    }
                    try {
                        this.proxy = ProxyGenerator.generate(new ProxyCertificateOptions(this.clientCredential.getCertificateChain()), this.clientCredential.getKey()).getCredential();
                    } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                        throw new CertificateException("could not generate host proxy credential.", e);
                    }
                } else {
                    this.proxy = new PEMCredential(this.proxyPath, (char[]) null);
                }
                this.proxyRefreshTimestamp = System.currentTimeMillis();
            }
        } catch (IOException e2) {
            LOGGER.error("Could not read certificates/key from file-system; {}: {}.", getCredentialValues(), e2.toString());
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Could not load certificates/key due to security error; {}: {}.", getCredentialValues(), e3.toString());
        }
        this.clientCredIssuerHashes = getClientCredIssuerHashes();
    }

    private String getClientCredIssuerHashes() {
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : this.proxy.getCertificateChain()) {
            hashSet.add(OpensslTruststoreHelper.getOpenSSLCAHash(x509Certificate.getIssuerX500Principal(), true));
        }
        return Joiner.on("|").join(hashSet);
    }

    private String getCredentialValues() {
        return "client cert path: " + this.clientCertificatePath + ", client key path: " + this.clientKeyPath + ", client issuer hashes: " + this.clientCredIssuerHashes + ", proxy path: " + this.proxyPath;
    }

    private boolean shouldRefreshClientProxyCredential() {
        long currentTimeMillis = System.currentTimeMillis() - this.proxyRefreshTimestamp;
        LOGGER.info("Time since last client cert refresh {}", Long.valueOf(currentTimeMillis));
        return this.proxy == null || currentTimeMillis >= this.proxyRefreshInterval;
    }
}
