package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.X509Credential;
import io.netty.channel.ChannelHandlerContext;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.EnumMap;
import java.util.Optional;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.SigningPolicy;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.UnsignedIntBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.dcache.xrootd.tpc.TpcSigverRequestEncoder;
import org.dcache.xrootd.tpc.XrootdTpcClient;
import org.dcache.xrootd.tpc.protocol.messages.InboundAuthenticationResponse;
import org.dcache.xrootd.tpc.protocol.messages.OutboundAuthenticationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientRequestHandler.class */
public abstract class GSIClientRequestHandler extends GSIRequestHandler {
    protected static Logger LOGGER = LoggerFactory.getLogger(GSIClientRequestHandler.class);
    protected final XrootdTpcClient client;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientRequestHandler$CertRequestBuckets.class */
    public class CertRequestBuckets extends GSIBucketContainerBuilder {
        private StringBucket cryptoBucket;
        private UnsignedIntBucket versionBucket;
        private StringBucket issuerBucket;
        private UnsignedIntBucket optionBucket;
        private NestedBucketBuffer mainBucket;

        public CertRequestBuckets(String str, Optional<Integer> optional) throws XrootdException {
            EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
            StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, str);
            enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
            this.mainBucket = new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, GSIRequestHandler.PROTOCOL, 1000, enumMap);
            this.cryptoBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, GSIRequestHandler.CRYPTO_MODE);
            this.versionBucket = new UnsignedIntBucket(XrootdSecurityProtocol.BucketType.kXRS_version, GSIClientRequestHandler.this.getProtocolVersion());
            this.issuerBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_issuer_hash, GSIClientRequestHandler.this.credentialManager.getIssuerHashes());
            if (optional.isPresent()) {
                this.optionBucket = new UnsignedIntBucket(XrootdSecurityProtocol.BucketType.kXRS_clnt_opts, optional.get().intValue());
            }
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return GSIBucketContainerBuilder.build(this.cryptoBucket, this.versionBucket, this.issuerBucket, this.mainBucket, this.optionBucket);
        }
    }

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIClientRequestHandler$CertResponseBuckets.class */
    protected class CertResponseBuckets extends GSIBucketContainerBuilder {
        XrootdBucket mainBucket;
        RawBucket dhParamsBucket;
        StringBucket cipherBucket;
        StringBucket digestBucket;
        StringBucket publicKeyBucket;
        StringBucket userNameBucket;

        public CertResponseBuckets(XrootdBucket xrootdBucket, byte[] bArr, XrootdSecurityProtocol.BucketType bucketType, Optional<String> optional, Optional<String> optional2, String str, String str2) {
            this.mainBucket = xrootdBucket;
            this.dhParamsBucket = new RawBucket(bucketType, bArr);
            this.cipherBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, str);
            this.digestBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, str2);
            if (optional.isPresent()) {
                this.publicKeyBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_puk, optional.get());
            }
            if (optional2.isPresent()) {
                this.userNameBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_user, optional2.get());
            }
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return build(this.mainBucket, this.cipherBucket, this.digestBucket, this.dhParamsBucket, this.publicKeyBucket, this.userNameBucket);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public GSIClientRequestHandler(GSICredentialManager gSICredentialManager, XrootdTpcClient xrootdTpcClient) {
        super(gSICredentialManager);
        this.client = xrootdTpcClient;
    }

    public OutboundAuthenticationRequest handleCertReqStep() throws XrootdException {
        loadClientCredential();
        validateCryptoMode((String) ((Optional) this.client.getAuthnContext().get("encryption")).orElse(""));
        this.credentialManager.checkCaIdentities(((String) ((Optional) this.client.getAuthnContext().get("caIdentities")).orElse("")).split("[|]"));
        this.challenge = GSIRequestHandler.generateChallengeString();
        GSIBucketContainer buildContainer = new CertRequestBuckets(this.challenge, getClientOpts()).buildContainer();
        return new OutboundAuthenticationRequest(this.client.getStreamId(), buildContainer.getSize(), GSIRequestHandler.PROTOCOL, 1000, buildContainer.getBuckets());
    }

    public abstract OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext) throws XrootdException;

    protected Optional<TpcSigverRequestEncoder> getSigverEncoder(XrootdTpcClient xrootdTpcClient) {
        SigningPolicy signingPolicy = xrootdTpcClient.getSigningPolicy();
        LOGGER.debug("Getting (optional) signed hash verification encoder, signing is on? {}.", Boolean.valueOf(signingPolicy.isSigningOn()));
        TpcSigverRequestEncoder tpcSigverRequestEncoder = null;
        if (signingPolicy.isSigningOn()) {
            tpcSigverRequestEncoder = new TpcSigverRequestEncoder(this.bufferHandler, signingPolicy);
        }
        return Optional.ofNullable(tpcSigverRequestEncoder);
    }

    protected X509Certificate validateCertificate(InboundAuthenticationResponse inboundAuthenticationResponse) throws IOException, GeneralSecurityException, XrootdException {
        X509Certificate x509Certificate = processRSAVerification(inboundAuthenticationResponse.getBuckets(), Optional.empty())[0];
        GSICredentialManager.checkIdentity(x509Certificate, this.client.getInfo().getSrcHost());
        return x509Certificate;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String validateCiphers(InboundAuthenticationResponse inboundAuthenticationResponse) throws XrootdException {
        return validateCiphers(((StringBucket) inboundAuthenticationResponse.getBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg)).getContent().split("[:]"));
    }

    protected String validateDigests(InboundAuthenticationResponse inboundAuthenticationResponse) throws XrootdException {
        return validateDigests(((StringBucket) inboundAuthenticationResponse.getBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_md_alg)).getContent().split("[:]"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext, XrootdSecurityProtocol.BucketType bucketType, boolean z, Optional<String> optional, Optional<String> optional2) throws XrootdException {
        try {
            String validateCiphers = validateCiphers(inboundAuthenticationResponse);
            String validateDigests = validateDigests(inboundAuthenticationResponse);
            this.rsaSession.initializeForDecryption(validateCertificate(inboundAuthenticationResponse).getPublicKey());
            verifySignedRTag(inboundAuthenticationResponse.getBuckets());
            this.dhSession = new DHSession(false, findSessionIVLen(validateCiphers));
            this.dhSession.setPaddedKey(usePadded());
            finalizeSessionKey(inboundAuthenticationResponse.getBuckets(), bucketType);
            Optional<TpcSigverRequestEncoder> sigverEncoder = getSigverEncoder(this.client);
            if (sigverEncoder.isPresent()) {
                channelHandlerContext.pipeline().addAfter("encoder", "sigverEncoder", sigverEncoder.get());
            }
            X509Credential clientCredential = getClientCredential();
            String chainToPEM = CertUtil.chainToPEM(Arrays.asList(clientCredential.getCertificateChain()));
            this.rsaSession.initializeForEncryption(clientCredential.getKey());
            GSIBucketContainer buildContainer = new CertResponseBuckets(postProcessMainBucket(inboundAuthenticationResponse.getBuckets(), Optional.of(chainToPEM), 1001), dhParams(z), bucketType, optional, optional2, validateCiphers, validateDigests).buildContainer();
            return new OutboundAuthenticationRequest(inboundAuthenticationResponse.getStreamId(), buildContainer.getSize(), GSIRequestHandler.PROTOCOL, 1001, buildContainer.getBuckets());
        } catch (IOException e) {
            LOGGER.error(new StringBuilder().append("Problems during cert step {}.").append(e.getMessage()).toString() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3012, "Internal error occurred during cert step.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt server information with negotiated key.");
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Cryptographic issues encountered during cert step: {}", e3.getMessage());
            throw new XrootdException(3012, "Could not complete cert step: an error occurred during cryptographic operations.");
        }
    }

    protected abstract X509Credential getClientCredential();

    protected abstract Optional<Integer> getClientOpts();

    protected abstract void loadClientCredential() throws XrootdException;

    protected abstract boolean usePadded();
}
