package org.dcache.xrootd.plugins.authn.gsi;

import com.google.common.base.Strings;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.proxy.ProxyCertificateOptions;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/CredentialLoader.class */
public class CredentialLoader {
    private static final Logger LOGGER = LoggerFactory.getLogger(CredentialLoader.class);
    private final X509CertChainValidator certChainValidator;
    private final String hostCertificatePath;
    private final String hostKeyPath;
    private final long hostCertRefreshInterval;
    private final boolean verifyHostCertificate;
    private final String clientCertificatePath;
    private final String clientKeyPath;
    private final long proxyRefreshInterval;
    private final boolean verifyClientCertificate;
    private final String proxyPath;
    private long hostCertRefreshTimestamp = 0;
    private long proxyRefreshTimestamp = 0;
    private PEMCredential hostCredential;
    private PEMCredential clientCredential;
    private X509Credential proxy;

    public CredentialLoader(Properties properties, X509CertChainValidator x509CertChainValidator) {
        this.certChainValidator = x509CertChainValidator;
        this.hostKeyPath = properties.getProperty("xrootd.gsi.hostcert.key");
        this.hostCertificatePath = properties.getProperty("xrootd.gsi.hostcert.cert");
        this.hostCertRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.hostcert.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.hostcert.refresh")));
        this.verifyHostCertificate = Boolean.parseBoolean(properties.getProperty("xrootd.gsi.hostcert.verify"));
        this.clientKeyPath = properties.getProperty("xrootd.gsi.tpc.cred.key");
        this.clientCertificatePath = properties.getProperty("xrootd.gsi.tpc.cred.cert");
        this.proxyRefreshInterval = TimeUnit.valueOf(properties.getProperty("xrootd.gsi.tpc.cred.refresh.unit")).toMillis(Integer.parseInt(properties.getProperty("xrootd.gsi.tpc.cred.refresh")));
        this.verifyClientCertificate = Boolean.parseBoolean(properties.getProperty("xrootd.gsi.tpc.cred.verify"));
        this.proxyPath = properties.getProperty("xrootd.gsi.tpc.proxy.path");
    }

    public PEMCredential getHostCredential() {
        loadServerCredentials();
        return this.hostCredential;
    }

    public X509Credential getProxy() {
        loadClientCredentials();
        return this.proxy;
    }

    private synchronized void loadClientCredentials() {
        try {
            if (shouldRefreshClientProxyCredential()) {
                LOGGER.info("Refreshing proxy credential. Current refresh interval: {} ms", Long.valueOf(this.proxyRefreshInterval));
                if (Strings.isNullOrEmpty(this.proxyPath)) {
                    this.clientCredential = new PEMCredential(this.clientKeyPath, this.clientCertificatePath, (char[]) null);
                    if (this.verifyClientCertificate) {
                        LOGGER.info("Verifying client certificate");
                        this.certChainValidator.validate(this.clientCredential.getCertificateChain());
                    }
                    try {
                        this.proxy = ProxyGenerator.generate(new ProxyCertificateOptions(this.clientCredential.getCertificateChain()), this.clientCredential.getKey()).getCredential();
                    } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
                        throw new CertificateException("could not generate host proxy credential.", e);
                    }
                } else {
                    this.clientCredential = new PEMCredential(this.proxyPath, (char[]) null);
                    this.proxy = this.clientCredential;
                }
                this.proxyRefreshTimestamp = System.currentTimeMillis();
            }
        } catch (IOException e2) {
            LOGGER.error("Could not read client certificates/key from file-system; {}: {}.", getCredentialValues(), e2.toString());
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Could not load client certificates/key due to security error; {}: {}.", getCredentialValues(), e3.toString());
        }
    }

    private synchronized void loadServerCredentials() {
        try {
            if (shouldReloadServerCredentials()) {
                LOGGER.info("Loading server certificates. Current refresh interval: {} ms", Long.valueOf(this.hostCertRefreshInterval));
                PEMCredential pEMCredential = new PEMCredential(this.hostKeyPath, this.hostCertificatePath, (char[]) null);
                if (this.verifyHostCertificate) {
                    LOGGER.info("Verifying host certificate");
                    this.certChainValidator.validate(pEMCredential.getCertificateChain());
                }
                this.hostCredential = pEMCredential;
                this.hostCertRefreshTimestamp = System.currentTimeMillis();
            }
        } catch (IOException e) {
            LOGGER.error("Could not read server certificates/key from file-system; {}: {}.", getCredentialValues(), e.toString());
        } catch (GeneralSecurityException e2) {
            LOGGER.error("Could not load server certificates/key due to security error; {}: {}.", getCredentialValues(), e2.toString());
        }
    }

    private String getCredentialValues() {
        return "client cert path: " + this.clientCertificatePath + ", client key path: " + this.clientKeyPath + ", proxy path: " + this.proxyPath;
    }

    private boolean shouldReloadServerCredentials() {
        long currentTimeMillis = System.currentTimeMillis() - this.hostCertRefreshTimestamp;
        LOGGER.info("Time since last server cert refresh {}", Long.valueOf(currentTimeMillis));
        return this.hostCredential == null || currentTimeMillis >= this.hostCertRefreshInterval;
    }

    private boolean shouldRefreshClientProxyCredential() {
        long currentTimeMillis = System.currentTimeMillis() - this.proxyRefreshTimestamp;
        LOGGER.info("Time since last client cert refresh {}", Long.valueOf(currentTimeMillis));
        return this.proxy == null || currentTimeMillis >= this.proxyRefreshInterval;
    }
}
