package org.dcache.xrootd.plugins.authn.gsi.post49;

import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.KeyAndCertCredential;
import io.netty.channel.ChannelHandlerContext;
import java.security.KeyStoreException;
import java.util.Optional;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.CertUtil;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainer;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder;
import org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.GSICredentialManager;
import org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.SerializableX509Credential;
import org.dcache.xrootd.security.XrootdBucket;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.dcache.xrootd.tpc.XrootdTpcClient;
import org.dcache.xrootd.tpc.protocol.messages.InboundAuthenticationResponse;
import org.dcache.xrootd.tpc.protocol.messages.InboundErrorResponse;
import org.dcache.xrootd.tpc.protocol.messages.OutboundAuthenticationRequest;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/post49/GSIPost49ClientRequestHandler.class */
public class GSIPost49ClientRequestHandler extends GSIClientRequestHandler {
    private X509Credential delegatedProxy;

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/post49/GSIPost49ClientRequestHandler$PxyreqResponseBuckets.class */
    protected class PxyreqResponseBuckets extends GSIBucketContainerBuilder {
        private XrootdBucket mainBucket;

        public PxyreqResponseBuckets(XrootdBucket xrootdBucket) throws XrootdException {
            this.mainBucket = xrootdBucket;
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return GSIBucketContainerBuilder.build(this.mainBucket);
        }
    }

    public GSIPost49ClientRequestHandler(GSICredentialManager gSICredentialManager, XrootdTpcClient xrootdTpcClient) {
        super(gSICredentialManager, xrootdTpcClient);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    public int getProtocolVersion() {
        return 10400;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public void handleAuthenticationError(InboundErrorResponse inboundErrorResponse) throws XrootdException {
        throw new XrootdException(inboundErrorResponse.getError(), new StringBuilder().append(inboundErrorResponse.getErrorMessage()).append(" –– user proxy was ").append(this.client.getInfo().getDelegatedProxy()).toString() == null ? "not " : "delegated.");
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public OutboundAuthenticationRequest handleCertStep(InboundAuthenticationResponse inboundAuthenticationResponse, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        return handleCertStep(inboundAuthenticationResponse, channelHandlerContext, XrootdSecurityProtocol.BucketType.kXRS_cipher, true, Optional.of(getClientPublicKeyPem()), Optional.of(this.client.getUname()));
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    protected X509Credential getClientCredential() {
        return this.delegatedProxy;
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    protected Optional<Integer> getClientOpts() {
        return Optional.of(0);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    protected String getSyncCipherMode() {
        return GSIRequestHandler.SYNC_CIPHER_MODE_UNPADDED;
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    protected void loadClientCredential() throws XrootdException {
        LOGGER.debug("Loading client credential.");
        SerializableX509Credential delegatedProxy = this.client.getInfo().getDelegatedProxy();
        if (delegatedProxy != null) {
            try {
                SerializableX509Credential serializableX509Credential = delegatedProxy;
                this.delegatedProxy = new KeyAndCertCredential(serializableX509Credential.getPrivateKey(), serializableX509Credential.getCertChain());
                this.credentialManager.setIssuerHashesFromCredential(this.delegatedProxy);
            } catch (ClassCastException e) {
                throw new XrootdException(10026, "delegated proxy was of wrong type: " + delegatedProxy.getClass());
            } catch (KeyStoreException e2) {
                throw new XrootdException(10026, "problem with delegated proxy: " + e2.getMessage());
            }
        }
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    protected boolean usePadded() {
        return !this.noPadding;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIClientRequestHandler
    public String validateCiphers(InboundAuthenticationResponse inboundAuthenticationResponse) throws XrootdException {
        return super.validateCiphers(inboundAuthenticationResponse) + GSIRequestHandler.SESSION_IV_DELIM + 16;
    }

    private String getClientPublicKeyPem() {
        return CertUtil.toPEM(this.delegatedProxy.getCertificate().getPublicKey().getEncoded(), GSIRequestHandler.PUBLIC_KEY_HEADER, GSIRequestHandler.PUBLIC_KEY_FOOTER);
    }
}
