package org.dcache.xrootd.plugins.authn.gsi.post49;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Map;
import java.util.Optional;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.CertUtil;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainer;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder;
import org.dcache.xrootd.plugins.authn.gsi.GSICredentialManager;
import org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.AuthenticationResponse;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.protocol.messages.XrootdResponse;
import org.dcache.xrootd.security.NestedBucketBuffer;
import org.dcache.xrootd.security.StringBucket;
import org.dcache.xrootd.security.UnsignedIntBucket;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/post49/GSIPost49ServerRequestHandler.class */
public class GSIPost49ServerRequestHandler extends GSIServerRequestHandler {
    private boolean hasProxy;
    private boolean clientCanSignRequest;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/post49/GSIPost49ServerRequestHandler$ProxyRequestResponse.class */
    public class ProxyRequestResponse extends GSIBucketContainerBuilder {
        XrootdBucket mainBucket;
        StringBucket cryptoBucket;

        public ProxyRequestResponse(XrootdBucket xrootdBucket, String str) {
            this.mainBucket = xrootdBucket;
            this.cryptoBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, str);
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return build(this.mainBucket, this.cryptoBucket);
        }
    }

    public GSIPost49ServerRequestHandler(Subject subject, GSICredentialManager gSICredentialManager) throws XrootdException {
        super(subject, gSICredentialManager);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    public int getProtocolVersion() {
        return 10400;
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        UnsignedIntBucket unsignedIntBucket = (UnsignedIntBucket) authenticationRequest.getBuckets().get(XrootdSecurityProtocol.BucketType.kXRS_clnt_opts);
        if (unsignedIntBucket != null) {
            this.clientCanSignRequest = Integer.lowestOneBit(unsignedIntBucket.getContent() >> 2) == 1;
            LOGGER.debug("Received kXRS_clnt_opts {}; can sign proxy requests {}.", Integer.valueOf(unsignedIntBucket.getContent()), Boolean.valueOf(this.clientCanSignRequest));
        }
        return handleCertReqStep(authenticationRequest, true, XrootdSecurityProtocol.BucketType.kXRS_cipher);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleCertStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            this.dhSession.setPaddedKey(true);
            this.dhSession.setSessionIVLen(findSessionIVLen(validateCiphers(authenticationRequest)));
            validateDigests(authenticationRequest);
            Map<XrootdSecurityProtocol.BucketType, XrootdBucket> buckets = authenticationRequest.getBuckets();
            PublicKey extractClientPublicKey = extractClientPublicKey(buckets);
            this.rsaSession.initializeForDecryption(extractClientPublicKey);
            finalizeSessionKey(buckets, XrootdSecurityProtocol.BucketType.kXRS_cipher);
            NestedBucketBuffer decryptMainBucketWithSessionKey = decryptMainBucketWithSessionKey(buckets, "kXGC_cert");
            X509Certificate[] processRSAVerification = processRSAVerification(decryptMainBucketWithSessionKey.getNestedBuckets(), Optional.of(extractClientPublicKey));
            this.subject.getPublicCredentials().add(processRSAVerification);
            verifySignedRTag(decryptMainBucketWithSessionKey.getNestedBuckets());
            if (this.clientCanSignRequest) {
                return getSigPxyResponse(processRSAVerification, authenticationRequest, decryptMainBucketWithSessionKey);
            }
            this.hasProxy = true;
            return new OkResponse(authenticationRequest);
        } catch (IOException e) {
            cancelHandshake();
            LOGGER.error("Could not deserialize main nested buffer {}", e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3007, "Could not decrypt encrypted client message.");
        } catch (InvalidKeyException e2) {
            cancelHandshake();
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt clientinformation with negotiated key.");
        } catch (GeneralSecurityException e3) {
            cancelHandshake();
            LOGGER.error("Error during decrypting/server-side key exchange: {}", e3.getMessage());
            throw new XrootdException(3012, "Error in server-side cryptographic operations.");
        }
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleSigPxyStep(AuthenticationRequest authenticationRequest) throws XrootdException {
        try {
            Map<XrootdSecurityProtocol.BucketType, XrootdBucket> nestedBuckets = decryptMainBucketWithSessionKey(authenticationRequest.getBuckets(), "kXGC_sigpxy").getNestedBuckets();
            this.rsaSession.initializeForDecryption(this.credentialManager.getSenderPublicKey());
            verifySignedRTag(nestedBuckets);
            if (nestedBuckets.get(XrootdSecurityProtocol.BucketType.kXRS_x509) == null) {
                StringBucket stringBucket = nestedBuckets.get(XrootdSecurityProtocol.BucketType.kXRS_message);
                LOGGER.info("client cannot sign request; {}.", stringBucket == null ? "(no message)" : stringBucket.getContent());
                cancelHandshake();
            } else {
                authenticationRequest.getSession().setDelegatedCredential(this.credentialManager.finalizeDelegatedProxy(extractChain(nestedBuckets)));
                this.hasProxy = true;
            }
            return new OkResponse(authenticationRequest);
        } catch (IOException e) {
            cancelHandshake();
            LOGGER.error("Could not deserialize main nested buffer {}", e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(3007, "Could not decrypt encrypted client message.");
        } catch (InvalidKeyException e2) {
            cancelHandshake();
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3006, "Could not decrypt clientinformation with negotiated key.");
        } catch (GeneralSecurityException e3) {
            cancelHandshake();
            LOGGER.error("Error during decrypting/server-side key exchange: {}", e3.getMessage());
            throw new XrootdException(3012, "Error in server-side cryptographic operations.");
        }
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public boolean isFinished(AuthenticationRequest authenticationRequest) {
        return ((this.hasProxy || !this.clientCanSignRequest) && 1001 == authenticationRequest.getStep()) || 1002 == authenticationRequest.getStep();
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    protected String getSyncCipherMode() {
        return GSIRequestHandler.SYNC_CIPHER_MODE_UNPADDED;
    }

    private PublicKey extractClientPublicKey(Map<XrootdSecurityProtocol.BucketType, XrootdBucket> map) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException {
        StringBucket stringBucket = map.get(XrootdSecurityProtocol.BucketType.kXRS_puk);
        LOGGER.debug("Length of kXRS_puk bucket content: {}, size {}.", Integer.valueOf(stringBucket.getContent().length()), Integer.valueOf(stringBucket.getSize()));
        byte[] fromPEM = CertUtil.fromPEM(stringBucket.getContent(), GSIRequestHandler.PUBLIC_KEY_HEADER, GSIRequestHandler.PUBLIC_KEY_FOOTER);
        LOGGER.debug("resulting base64 byte array length {}.", Integer.valueOf(fromPEM.length));
        PublicKey generatePublic = KeyFactory.getInstance(GSIRequestHandler.PUBLIC_KEY_ALGORITHM, "BC").generatePublic(new X509EncodedKeySpec(fromPEM));
        if (generatePublic instanceof RSAPublicKey) {
            LOGGER.debug("RSA modulus lenghth: {}.", Integer.valueOf(((RSAPublicKey) generatePublic).getModulus().bitLength()));
        }
        return generatePublic;
    }

    private AuthenticationResponse getSigPxyResponse(X509Certificate[] x509CertificateArr, AuthenticationRequest authenticationRequest, NestedBucketBuffer nestedBucketBuffer) throws XrootdException, NoSuchProviderException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, InvalidAlgorithmParameterException, BadPaddingException, IOException {
        String prepareSerializedProxyRequest = this.credentialManager.prepareSerializedProxyRequest(x509CertificateArr);
        this.rsaSession.initializeForEncryption(this.credentialManager.getHostCredential().getKey());
        GSIBucketContainer buildContainer = new ProxyRequestResponse(postProcessMainBucket(nestedBucketBuffer.getNestedBuckets(), Optional.of(prepareSerializedProxyRequest), 2002), GSIRequestHandler.CRYPTO_MODE).buildContainer();
        return new AuthenticationResponse(authenticationRequest, 4002, buildContainer.getSize(), GSIRequestHandler.PROTOCOL, 2002, buildContainer.getBuckets());
    }
}
