package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.impl.CertificateUtils;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.buffer.Unpooled;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.EnumMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.RawBucket;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIRequestHandler.class */
public abstract class GSIRequestHandler {
    public static final String PROTOCOL = "gsi";
    public static final int PROTO_WITH_DELEGATION = 10400;
    public static final int PROTO_PRE_DELEGATION = 10300;
    public static final int PROTOCOL_VERSION = 10400;
    public static final String CRYPTO_MODE = "ssl";
    public static final String CRYPTO_MODE_NO_PAD = "sslnopad";
    public static final String SUPPORTED_CIPHER_ALGORITHM = "aes-128-cbc";
    public static final String SUPPORTED_DIGESTS = "sha1:md5";
    public static final String ASYNC_CIPHER_MODE = "RSA/NONE/PKCS1Padding";
    public static final String SYNC_CIPHER_MODE_PADDED = "AES/CBC/PKCS5Padding";
    public static final String SYNC_CIPHER_MODE_UNPADDED = "AES/CBC/NoPadding";
    public static final String SYNC_CIPHER_NAME = "AES";
    public static final String PUBLIC_KEY_ALGORITHM = "RSA";
    public static final String PUBLIC_KEY_HEADER = "-----BEGIN PUBLIC KEY-----";
    public static final String PUBLIC_KEY_FOOTER = "-----END PUBLIC KEY-----";
    public static final int SYNC_CIPHER_BLOCKSIZE = 16;
    public static final int CHALLENGE_BYTES = 8;
    public static final String SESSION_IV_DELIM = "#";
    public static final int SESSION_IV_LEN = 16;
    protected final GSICredentialManager credentialManager;
    protected DHSession dhSession;
    protected DHBufferHandler bufferHandler;
    protected long lastRequest;
    protected boolean noPadding;
    protected static Logger LOGGER = LoggerFactory.getLogger(GSIRequestHandler.class);
    public static final long MAX_TIME_SKEW = TimeUnit.SECONDS.toMillis(300);
    protected static final SecureRandom RANDOM = new SecureRandom();
    protected String challenge = "";
    protected RSASession rsaSession = new RSASession();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler$1, reason: invalid class name */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIRequestHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$dcache$xrootd$security$XrootdSecurityProtocol$BucketType = new int[XrootdSecurityProtocol.BucketType.values().length];

        static {
            try {
                $SwitchMap$org$dcache$xrootd$security$XrootdSecurityProtocol$BucketType[XrootdSecurityProtocol.BucketType.kXRS_puk.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$dcache$xrootd$security$XrootdSecurityProtocol$BucketType[XrootdSecurityProtocol.BucketType.kXRS_cipher.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static int findSessionIVLen(String str) throws XrootdException {
        int indexOf = str.indexOf(SESSION_IV_DELIM);
        if (indexOf == str.length() - 1) {
            throw new XrootdException(10026, "malformed cipher " + str);
        }
        if (indexOf < 0) {
            return 0;
        }
        return Integer.valueOf(str.substring(indexOf + 1)).intValue();
    }

    public static String generateChallengeString() {
        byte[] bArr = new byte[8];
        for (int i = 0; i < 8; i++) {
            bArr[i] = (byte) RANDOM.nextInt(127);
        }
        String str = new String(bArr, StandardCharsets.US_ASCII);
        LOGGER.debug("Generated new challenge string: {}.", str);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public GSIRequestHandler(GSICredentialManager gSICredentialManager) {
        this.credentialManager = gSICredentialManager;
    }

    public abstract int getProtocolVersion();

    protected abstract String getSyncCipherMode();

    /* JADX INFO: Access modifiers changed from: protected */
    public NestedBucketBuffer decryptMainBucketWithSessionKey(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map, String str) throws NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, NoSuchProviderException, InvalidKeyException, IOException, XrootdException {
        LOGGER.debug("Decrypting main bucket with session key.");
        NestedBucketBuffer deserialize = NestedBucketBuffer.deserialize(XrootdSecurityProtocol.BucketType.kXRS_main, Unpooled.wrappedBuffer(this.dhSession.decrypt(SYNC_CIPHER_MODE_PADDED, SYNC_CIPHER_NAME, 16, map.get(XrootdSecurityProtocol.BucketType.kXRS_main).getContent())));
        if (LOGGER.isTraceEnabled()) {
            StringBuilder sb = new StringBuilder();
            deserialize.dump(sb, str, 0);
            LOGGER.trace(sb.toString());
        }
        return deserialize;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] dhParams(boolean z) throws IOException, BadPaddingException, IllegalBlockSizeException {
        LOGGER.debug("Getting encoded dh paramters (signed: {}).", Boolean.valueOf(z));
        byte[] bytes = this.dhSession.getEncodedDHMaterial().getBytes();
        if (!z) {
            return bytes;
        }
        LOGGER.debug("Signing encoded dh paramters.");
        return this.rsaSession.encrypt(bytes);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate[] extractChain(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map) throws XrootdException, IOException {
        LOGGER.debug("Extracting X509Certificate chain.");
        StringBucket stringBucket = (XrootdBucket) map.get(XrootdSecurityProtocol.BucketType.kXRS_x509);
        if (stringBucket == null) {
            throw new XrootdException(10001, "No kXRS_x509 bucket.");
        }
        X509Certificate[] loadCertificateChain = CertificateUtils.loadCertificateChain(new ByteArrayInputStream(stringBucket.getContent().getBytes(StandardCharsets.US_ASCII)), CertificateUtils.Encoding.PEM);
        if (loadCertificateChain.length == 0) {
            throw new IllegalArgumentException("Could not parse x509 certificate from input stream!");
        }
        return loadCertificateChain;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void finalizeSessionKey(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map, XrootdSecurityProtocol.BucketType bucketType) throws IOException, GeneralSecurityException {
        StringBucket deserialize;
        LOGGER.debug("Finalizing session key using bucket type {}.", bucketType.name());
        switch (AnonymousClass1.$SwitchMap$org$dcache$xrootd$security$XrootdSecurityProtocol$BucketType[bucketType.ordinal()]) {
            case 1:
                deserialize = (StringBucket) map.get(XrootdSecurityProtocol.BucketType.kXRS_puk);
                LOGGER.debug("DH message (params) from kXRS_puk: {}.", deserialize.getContent());
                break;
            case 2:
                byte[] content = map.get(XrootdSecurityProtocol.BucketType.kXRS_cipher).getContent();
                LOGGER.debug("Decrypting cipher bucket using public key, buffer length {}.", Integer.valueOf(content.length));
                deserialize = StringBucket.deserialize(XrootdSecurityProtocol.BucketType.kXRS_cipher, Unpooled.wrappedBuffer(this.rsaSession.decrypt(content)));
                LOGGER.debug("DH message (params) from kXRS_cipher after decryption: {}.", deserialize.getContent());
                break;
            default:
                throw new RuntimeException("Unexpected bucketType in finalizeSessionKey: " + bucketType.name());
        }
        this.dhSession.finaliseKeyAgreement(deserialize.getContent());
        this.bufferHandler = new DHBufferHandler(this.dhSession, getSyncCipherMode(), SYNC_CIPHER_NAME, 16);
        LOGGER.debug("Constructed buffer handler for signed hash use.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isRequestExpired() {
        if (this.lastRequest != 0) {
            return System.currentTimeMillis() - this.lastRequest >= MAX_TIME_SKEW;
        }
        this.lastRequest = System.currentTimeMillis();
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public XrootdBucket postProcessMainBucket(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map, Optional<String> optional, int i) throws BadPaddingException, IllegalBlockSizeException, NoSuchProviderException, NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, XrootdException, IOException {
        LOGGER.debug("Post-processing main bucket.");
        this.challenge = generateChallengeString();
        RawBucket rawBucket = new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag, signRtagChallenge(map));
        StringBucket stringBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_rtag, this.challenge);
        StringBucket stringBucket2 = optional.isPresent() ? new StringBucket(i == 2002 ? XrootdSecurityProtocol.BucketType.kXRS_x509_req : XrootdSecurityProtocol.BucketType.kXRS_x509, optional.get()) : null;
        switch (i) {
            case 1001:
            case 1002:
            case 2002:
                LOGGER.debug("Building encrypted main bucket.");
                return buildEncryptedMainBucket(i, rawBucket, stringBucket, stringBucket2);
            default:
                LOGGER.debug("Building unencrypted main bucket.");
                EnumMap enumMap = new EnumMap(XrootdSecurityProtocol.BucketType.class);
                enumMap.put((EnumMap) rawBucket.getType(), (XrootdSecurityProtocol.BucketType) rawBucket);
                enumMap.put((EnumMap) stringBucket.getType(), (XrootdSecurityProtocol.BucketType) stringBucket);
                if (stringBucket2 != null) {
                    enumMap.put((EnumMap) stringBucket2.getType(), (XrootdSecurityProtocol.BucketType) stringBucket2);
                }
                return new NestedBucketBuffer(XrootdSecurityProtocol.BucketType.kXRS_main, PROTOCOL, i, enumMap);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate[] processRSAVerification(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map, Optional<PublicKey> optional) throws InvalidKeyException, IOException, XrootdException {
        LOGGER.debug("Processing RSA cert chain verification; previous key to match? {}.", Boolean.valueOf(optional.isPresent()));
        X509Certificate[] extractChain = extractChain(map);
        this.credentialManager.getCertChainValidator().validate(extractChain);
        X509Certificate x509Certificate = extractChain[0];
        if (!optional.isPresent() || optional.get().equals(x509Certificate.getPublicKey())) {
            return extractChain;
        }
        throw new InvalidKeyException("Error in cryptographic operations; received two different public keys.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void updateLastRequest() {
        this.lastRequest = System.currentTimeMillis();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String validateCiphers(String[] strArr) throws XrootdException {
        LOGGER.debug("Validating cipher algorithm.");
        String str = null;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            String str2 = strArr[i];
            LOGGER.debug("checking cipher algorithm {}.", str2);
            int indexOf = str2.indexOf(SESSION_IV_DELIM);
            if (SUPPORTED_CIPHER_ALGORITHM.contains(indexOf > 0 ? str2.substring(0, indexOf) : str2)) {
                str = str2;
                break;
            }
            i++;
        }
        if (str == null) {
            throw new XrootdException(4003, "all sender ciphers are unsupported: " + Arrays.asList(strArr));
        }
        LOGGER.debug("Selected cipher algorithm {}", str);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateCryptoMode(String str) throws XrootdException {
        LOGGER.debug("Validating crypto mode.");
        if (str.equalsIgnoreCase(CRYPTO_MODE)) {
            return;
        }
        if (!str.equalsIgnoreCase(CRYPTO_MODE_NO_PAD)) {
            throw new XrootdException(4003, str + " not supported.");
        }
        this.noPadding = true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String validateDigests(String[] strArr) throws XrootdException {
        LOGGER.debug("Validating cipher digests.");
        String str = null;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            String str2 = strArr[i];
            if (SUPPORTED_DIGESTS.contains(str2)) {
                str = str2;
                break;
            }
            i++;
        }
        if (str == null) {
            throw new XrootdException(4003, "all sender digests are unsupported: " + Arrays.asList(strArr));
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifySignedRTag(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map) throws XrootdException, BadPaddingException, IllegalBlockSizeException, IOException {
        String str = new String(this.rsaSession.decrypt(((XrootdBucket) map.get(XrootdSecurityProtocol.BucketType.kXRS_signed_rtag)).getContent()), StandardCharsets.US_ASCII);
        if (this.challenge.equals(str)) {
            LOGGER.debug("signature of challenge tag ok. Challenge: {}, rTagString: {}", this.challenge, str);
        } else {
            LOGGER.error("The challenge is {}, the serialized rTag is {}.signature of challenge tag has been proven wrong!!", this.challenge, str);
            throw new XrootdException(3006, "Sender did not present correctchallenge response!");
        }
    }

    private RawBucket buildEncryptedMainBucket(int i, XrootdBucket... xrootdBucketArr) throws XrootdException, NoSuchPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, IllegalBlockSizeException, BadPaddingException, NoSuchProviderException, InvalidKeyException {
        if (this.dhSession == null) {
            throw new XrootdException(4003, "trying to encrypt message without session key.");
        }
        ByteBuf buffer = PooledByteBufAllocator.DEFAULT.buffer();
        byte[] bytes = PROTOCOL.getBytes(StandardCharsets.US_ASCII);
        buffer.writeBytes(bytes);
        buffer.writeZero(4 - bytes.length);
        buffer.writeInt(i);
        for (XrootdBucket xrootdBucket : xrootdBucketArr) {
            if (xrootdBucket != null) {
                xrootdBucket.serialize(buffer);
            }
        }
        buffer.writeInt(XrootdSecurityProtocol.BucketType.kXRS_none.getCode());
        byte[] bArr = new byte[buffer.readableBytes()];
        buffer.getBytes(0, bArr);
        buffer.release();
        return new RawBucket(XrootdSecurityProtocol.BucketType.kXRS_main, this.dhSession.encrypt(SYNC_CIPHER_MODE_PADDED, SYNC_CIPHER_NAME, 16, bArr));
    }

    private byte[] signRtagChallenge(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map) throws BadPaddingException, IllegalBlockSizeException, IOException {
        byte[] bytes = map.get(XrootdSecurityProtocol.BucketType.kXRS_rtag).getContent().getBytes();
        LOGGER.debug("Signing sender's random challenge tag of length {}.", Integer.valueOf(bytes.length));
        return this.rsaSession.encrypt(bytes);
    }
}
