package org.dcache.xrootd.plugins.authn.gsi.pre49;

import eu.emi.security.authn.x509.impl.CertificateUtils;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.EnumMap;
import java.util.Map;
import java.util.Optional;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.CertUtil;
import org.dcache.xrootd.plugins.authn.gsi.DHBufferHandler;
import org.dcache.xrootd.plugins.authn.gsi.DHSession;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainer;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder;
import org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.GSICredentialManager;
import org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.SigningPolicy;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.UnsignedIntBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.dcache.xrootd.tpc.TpcSigverRequestEncoder;
import org.dcache.xrootd.tpc.XrootdTpcClient;
import org.dcache.xrootd.tpc.protocol.messages.InboundAuthenticationResponse;
import org.dcache.xrootd.tpc.protocol.messages.OutboundAuthenticationRequest;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/pre49/GSIPre49ClientRequestHandler.class */
public class GSIPre49ClientRequestHandler extends GSIClientRequestHandler {

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/pre49/GSIPre49ClientRequestHandler$InboundResponseBuckets.class */
    class InboundResponseBuckets {
        private String srcHost;
        private byte[] signedChallenge;
        private byte[] puk;
        private String proxyCert;
        private String selectedCipher;
        private String selectedDigest;
        private RawBucket signedRTagBucket;
        private StringBucket randomTagBucket;
        private StringBucket dhPublicBucket;
        private StringBucket cipherBucket;
        private StringBucket digestBucket;
        private StringBucket serverX509Bucket;
        private X509Certificate serverCert;
        private DHSession session;
        private String rtag;
        private Cipher challengeCipher;

        InboundResponseBuckets(InboundAuthenticationResponse inboundAuthenticationResponse, XrootdTpcClient xrootdTpcClient) throws GeneralSecurityException {
            this.srcHost = xrootdTpcClient.getInfo().getSrcHost();
            this.rtag = (String) xrootdTpcClient.getAuthnContext().get("rtag");
            Map buckets = inboundAuthenticationResponse.getBuckets();
            this.dhPublicBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_puk);
            this.cipherBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg);
            this.digestBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_md_alg);
            this.serverX509Bucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_x509);
            this.signedRTagBucket = (RawBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag);
            this.randomTagBucket = (StringBucket) buckets.get(XrootdSecurityProtocol.BucketType.kXRS_rtag);
        }

        void finalizeDHSessionKey() throws IOException, GeneralSecurityException, XrootdException {
            this.session = new DHSession(false);
            this.session.finaliseKeyAgreement(this.dhPublicBucket.getContent());
            this.puk = this.session.getEncodedDHMaterial().getBytes();
        }

        void encodeHostCerts() throws CertificateEncodingException {
            StringBuilder sb = new StringBuilder();
            for (X509Certificate x509Certificate : GSIPre49ClientRequestHandler.this.credentialManager.getProxy().getCertificateChain()) {
                x509Certificate.getEncoded();
                sb.append(CertUtil.certToPEM(x509Certificate));
            }
            this.proxyCert = sb.toString();
        }

        void signChallenge() throws InvalidKeyException, BadPaddingException, IllegalBlockSizeException, IOException {
            this.challengeCipher.init(1, GSIPre49ClientRequestHandler.this.credentialManager.getProxy().getKey());
            this.challengeCipher.update(this.randomTagBucket.getContent().getBytes());
            this.signedChallenge = this.challengeCipher.doFinal();
        }

        void validateCertificate() throws IOException, GeneralSecurityException {
            X509Certificate[] loadCertificateChain = CertificateUtils.loadCertificateChain(new ByteArrayInputStream(this.serverX509Bucket.getContent().getBytes(StandardCharsets.US_ASCII)), CertificateUtils.Encoding.PEM);
            if (loadCertificateChain.length == 0) {
                throw new GeneralSecurityException("Could not parse server certificate from input stream!");
            }
            this.serverCert = loadCertificateChain[0];
            GSIPre49ClientRequestHandler.this.credentialManager.getValidator().validate(loadCertificateChain);
            GSICredentialManager.checkIdentity(this.serverCert, this.srcHost);
        }

        void validateCiphers() throws XrootdException {
            String[] split = this.cipherBucket.getContent().split("[:]");
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = split[i];
                if (GSIRequestHandler.SUPPORTED_CIPHER_ALGORITHMS.contains(str)) {
                    this.selectedCipher = str;
                    break;
                }
                i++;
            }
            if (this.selectedCipher == null) {
                throw new XrootdException(4003, "all server ciphers are unsupported: " + this.cipherBucket.getContent());
            }
        }

        void validateDigests() throws XrootdException {
            String[] split = this.digestBucket.getContent().split("[:]");
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = split[i];
                if (GSIRequestHandler.SUPPORTED_DIGESTS.contains(str)) {
                    this.selectedDigest = str;
                    break;
                }
                i++;
            }
            if (this.selectedDigest == null) {
                throw new XrootdException(4003, "all server digests are unsupported: " + this.digestBucket.getContent());
            }
        }

        void validateSignedChallenge() throws XrootdException, InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, BadPaddingException, IllegalBlockSizeException {
            this.challengeCipher = Cipher.getInstance(GSIRequestHandler.SERVER_ASYNC_CIPHER_MODE, "BC");
            this.challengeCipher.init(2, this.serverCert.getPublicKey());
            String str = new String(this.challengeCipher.doFinal(this.signedRTagBucket.getContent()), StandardCharsets.US_ASCII);
            if (this.rtag.equals(str)) {
                GSIPre49ClientRequestHandler.LOGGER.trace("signature of challenge tag ok. Challenge: {}, rTagString: {}", this.rtag, str);
            } else {
                GSIPre49ClientRequestHandler.LOGGER.error("The challenge is {}, the serialized rTag is {}.signature of challenge tag has been proven wrong!!", this.rtag, str);
                throw new XrootdException(3006, "Client did not present correct challenge response!");
            }
        }
    }

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/pre49/GSIPre49ClientRequestHandler$OutboundRequestBuckets.class */
    class OutboundRequestBuckets extends GSIBucketContainerBuilder {
        private StringBucket cryptoBucket;
        private UnsignedIntBucket versionBucket;
        private StringBucket issuerBucket;
        private NestedBucketBuffer mainBucket;

        OutboundRequestBuckets(String str) throws XrootdException {
            EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
            StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, str);
            enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
            this.mainBucket = new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, GSIRequestHandler.PROTOCOL, 1000, enumMap);
            this.cryptoBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, GSIRequestHandler.CRYPTO_MODE);
            this.versionBucket = new UnsignedIntBucket(XrootdSecurityProtocol.BucketType.kXRS_version, GSIPre49ClientRequestHandler.this.getProtocolVersion());
            this.issuerBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_issuer_hash, GSIPre49ClientRequestHandler.this.credentialManager.getClientCredIssuerHashes());
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return GSIBucketContainerBuilder.build(this.cryptoBucket, this.versionBucket, this.issuerBucket, this.mainBucket);
        }
    }

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/pre49/GSIPre49ClientRequestHandler$OutboundResponseBuckets.class */
    class OutboundResponseBuckets extends GSIBucketContainerBuilder {
        RawBucket encryptedBucket;
        RawBucket pukBucket;
        StringBucket cipherBucket;
        StringBucket digestBucket;

        OutboundResponseBuckets(InboundResponseBuckets inboundResponseBuckets, ChannelHandlerContext channelHandlerContext) throws NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, NoSuchProviderException, InvalidKeyException {
            this.pukBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_puk, inboundResponseBuckets.puk);
            this.cipherBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, inboundResponseBuckets.selectedCipher);
            this.digestBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, inboundResponseBuckets.selectedDigest);
            StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_x509, inboundResponseBuckets.proxyCert);
            RawBucket rawBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag, inboundResponseBuckets.signedChallenge);
            ByteBuf buffer = channelHandlerContext.alloc().buffer();
            byte[] bytes = GSIRequestHandler.PROTOCOL.getBytes(StandardCharsets.US_ASCII);
            buffer.writeBytes(bytes);
            buffer.writeZero(4 - bytes.length);
            buffer.writeInt(1001);
            rawBucket.serialize(buffer);
            stringBucket.serialize(buffer);
            buffer.writeInt(XrootdSecurityProtocol.BucketType.kXRS_none.getCode());
            byte[] bArr = new byte[buffer.readableBytes()];
            buffer.getBytes(0, bArr);
            buffer.release();
            this.encryptedBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_main, inboundResponseBuckets.session.encrypt(GSIRequestHandler.SERVER_SYNC_CIPHER_MODE, GSIRequestHandler.SERVER_SYNC_CIPHER_NAME, 16, bArr));
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return build(this.encryptedBucket, this.cipherBucket, this.digestBucket, this.pukBucket);
        }
    }

    public GSIPre49ClientRequestHandler(GSICredentialManager gSICredentialManager, XrootdTpcClient xrootdTpcClient) {
        super(gSICredentialManager, xrootdTpcClient);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    public int getProtocolVersion() {
        return 10300;
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public OutboundAuthenticationRequest handleCertReqStep() throws XrootdException {
        String str = (String) ((Optional) this.client.getAuthnContext().get("encryption")).orElse("");
        if (!str.equalsIgnoreCase(GSIRequestHandler.CRYPTO_MODE)) {
            throw new XrootdException(4003, str + " not supported.");
        }
        this.credentialManager.checkCaIdentities(((String) ((Optional) this.client.getAuthnContext().get("caIdentities")).orElse("")).split("[|]"));
        String generateChallengeString = GSIRequestHandler.generateChallengeString();
        this.client.getAuthnContext().put("rtag", generateChallengeString);
        GSIBucketContainer buildContainer = new OutboundRequestBuckets(generateChallengeString).buildContainer();
        return new OutboundAuthenticationRequest(this.client.getStreamId(), buildContainer.getSize(), GSIRequestHandler.PROTOCOL, 1000, buildContainer.getBuckets());
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        try {
            InboundResponseBuckets inboundResponseBuckets = new InboundResponseBuckets(inboundAuthenticationResponse, this.client);
            inboundResponseBuckets.validateCiphers();
            inboundResponseBuckets.validateDigests();
            inboundResponseBuckets.validateCertificate();
            inboundResponseBuckets.validateSignedChallenge();
            inboundResponseBuckets.signChallenge();
            inboundResponseBuckets.encodeHostCerts();
            inboundResponseBuckets.finalizeDHSessionKey();
            SigningPolicy signingPolicy = this.client.getSigningPolicy();
            if (signingPolicy.isSigningOn()) {
                channelHandlerContext.pipeline().addAfter("encoder", "sigverEncoder", new TpcSigverRequestEncoder(new DHBufferHandler(inboundResponseBuckets.session, GSIRequestHandler.SERVER_SYNC_CIPHER_MODE, GSIRequestHandler.SERVER_SYNC_CIPHER_NAME, 16), signingPolicy));
            }
            GSIBucketContainer buildContainer = new OutboundResponseBuckets(inboundResponseBuckets, channelHandlerContext).buildContainer();
            return new OutboundAuthenticationRequest(inboundAuthenticationResponse.getStreamId(), buildContainer.getSize(), GSIRequestHandler.PROTOCOL, 1001, buildContainer.getBuckets());
        } catch (IOException e) {
            LOGGER.error(new StringBuilder().append("Problems during cert step {}.").append(e.getMessage()).toString() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3012, "Internal error occurred during cert step.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt server information with negotiated key.");
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Cryptographic issues encountered during cert step: {}", e3.getMessage());
            throw new XrootdException(3012, "Could not complete cert step: an error occurred during cryptographic operations.");
        }
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public OutboundAuthenticationRequest handleSigPxyStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        throw new XrootdException(10015, "Version " + getProtocolVersion() + " does not support proxy delegation.");
    }
}
