package org.dcache.xrootd.plugins.authn.gsi;

import com.google.common.base.Joiner;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker;
import eu.emi.security.authn.x509.helpers.trust.OpensslTruststoreHelper;
import eu.emi.security.authn.x509.impl.PEMCredential;
import eu.emi.security.authn.x509.proxy.ProxyGenerator;
import eu.emi.security.authn.x509.proxy.ProxyRequestOptions;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Properties;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.ProxyDelegationClient;
import org.dcache.xrootd.util.ProxyRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSICredentialManager.class */
public class GSICredentialManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(GSICredentialManager.class);
    private static final HostnameToCertificateChecker CERT_CHECKER = new HostnameToCertificateChecker();
    private static final CertificateFactory CERTIFICATE_FACTORY;
    private final CredentialLoader credentialLoader;
    private final String caCertificatePath;
    private final X509CertChainValidator certChainValidator;
    private String issuerHashes;
    private X509ProxyDelegationClient proxyDelegationClient;
    private ProxyRequest<X509Certificate[], String> proxyRequest;

    public static void checkIdentity(X509Certificate x509Certificate, String str) throws GeneralSecurityException, UnknownHostException {
        LOGGER.debug("Checking identity of certificate against source {}.", str);
        if (!x509Certificate.getSubjectDN().getName().contains(str) && !CERT_CHECKER.checkMatching(str, x509Certificate)) {
            throw new GeneralSecurityException("The name of the source server does not match any subject name of the received credential.");
        }
    }

    private static String generateIssuerHashes(X509Credential x509Credential) {
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : x509Credential.getCertificateChain()) {
            hashSet.add(OpensslTruststoreHelper.getOpenSSLCAHash(x509Certificate.getIssuerX500Principal(), true));
        }
        return Joiner.on("|").join(hashSet);
    }

    public X509Certificate createCertificate(byte[] bArr) throws CertificateException {
        return (X509Certificate) CERTIFICATE_FACTORY.generateCertificate(new ByteArrayInputStream(bArr));
    }

    public GSICredentialManager(Properties properties, CredentialLoader credentialLoader, X509CertChainValidator x509CertChainValidator) {
        this.caCertificatePath = properties.getProperty("xrootd.gsi.ca.path");
        this.credentialLoader = credentialLoader;
        this.certChainValidator = x509CertChainValidator;
    }

    public synchronized void cancelOutstandingProxyRequest() {
        if (this.proxyRequest == null || this.proxyRequest.getId() == null) {
            return;
        }
        try {
            this.proxyDelegationClient.cancelProxyRequest(this.proxyRequest);
        } catch (XrootdException e) {
            LOGGER.warn("Problem cancelling proxy delegation request {} {}: {}.", new Object[]{((X509Certificate[]) this.proxyRequest.getKey())[0].getSubjectDN(), this.proxyRequest.getId(), e.toString()});
        }
        this.proxyRequest = null;
    }

    public void checkCaIdentities(String[] strArr) throws XrootdException {
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            if (isValidCaPath(str)) {
                arrayList.add(str);
            }
        }
        if (arrayList.isEmpty()) {
            throw new XrootdException(10026, "no ca identity is recognized.");
        }
        LOGGER.debug("The following ca hashes are recognized: {}.", arrayList);
    }

    public synchronized SerializableX509Credential finalizeDelegatedProxy(X509Certificate[] x509CertificateArr) throws XrootdException {
        if (this.proxyRequest == null) {
            throw new XrootdException(10026, "cannot finalize proxy: proxy request was not sent.");
        }
        X509Certificate[] x509CertificateArr2 = (X509Certificate[]) this.proxyRequest.getKey();
        String chainToPEM = CertUtil.chainToPEM(CertUtil.prepend(x509CertificateArr[0], x509CertificateArr2));
        LOGGER.debug("finalizing proxy credential for {}, id {}.", x509CertificateArr2[0].getSubjectDN(), this.proxyRequest.getId());
        SerializableX509Credential finalizeProxyCredential = proxyDelegationClient().finalizeProxyCredential(this.proxyRequest.getId(), chainToPEM);
        this.proxyRequest = null;
        return finalizeProxyCredential;
    }

    public X509CertChainValidator getCertChainValidator() {
        return this.certChainValidator;
    }

    public PEMCredential getHostCredential() {
        return this.credentialLoader.getHostCredential();
    }

    public String getIssuerHashes() {
        X509Credential proxy;
        if (this.issuerHashes == null && (proxy = getProxy()) != null) {
            this.issuerHashes = generateIssuerHashes(proxy);
        }
        return this.issuerHashes;
    }

    public X509Credential getProxy() {
        return this.credentialLoader.getProxy();
    }

    public PublicKey getSenderPublicKey() {
        if (this.proxyRequest != null) {
            return ((X509Certificate[]) this.proxyRequest.getKey())[0].getPublicKey();
        }
        return null;
    }

    public boolean isDelegationOnly() {
        return this.credentialLoader.isDelegationOnly();
    }

    public synchronized String prepareSerializedProxyRequest(X509Certificate[] x509CertificateArr) throws XrootdException {
        LOGGER.debug("Credential manager requesting proxy request (CSR) from client for {}.", x509CertificateArr[0].getSubjectDN());
        this.proxyRequest = proxyDelegationClient().getProxyRequest(x509CertificateArr);
        LOGGER.debug("Credential manager got proxy request (CSR) from client for {}.", x509CertificateArr[0].getSubjectDN());
        if (this.proxyRequest == null) {
            throw new XrootdException(10026, "fetch of proxy request (CSR) failed");
        }
        return (String) this.proxyRequest.getRequest();
    }

    public synchronized X509Certificate[] getSignedProxyRequest(byte[] bArr) throws IOException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, CertificateParsingException, NoSuchProviderException {
        ProxyRequestOptions proxyRequestOptions = new ProxyRequestOptions(this.credentialLoader.getProxy().getCertificateChain(), new PKCS10CertificationRequest(bArr));
        LOGGER.debug("Client, signing proxy request (CSR) with client private key {}.", this.credentialLoader.getProxy().getKey());
        return ProxyGenerator.generate(proxyRequestOptions, this.credentialLoader.getProxy().getKey());
    }

    public void setProxyDelegationClient(ProxyDelegationClient proxyDelegationClient) {
        this.proxyDelegationClient = (X509ProxyDelegationClient) proxyDelegationClient;
    }

    public void setIssuerHashesFromCredential(X509Credential x509Credential) {
        this.issuerHashes = generateIssuerHashes(x509Credential);
    }

    private X509ProxyDelegationClient proxyDelegationClient() throws XrootdException {
        if (this.proxyDelegationClient == null) {
            throw new XrootdException(10026, "no client to credential store has been provided.");
        }
        return this.proxyDelegationClient;
    }

    private boolean isValidCaPath(String str) {
        String trim = str.trim();
        if (trim.indexOf(".") < 1) {
            trim = trim + ".0";
        }
        return new File(this.caCertificatePath, trim).exists();
    }

    static {
        try {
            CERTIFICATE_FACTORY = CertificateFactory.getInstance("X.509", "BC");
        } catch (NoSuchProviderException e) {
            throw new RuntimeException("Failed to load bouncy castle provider: " + e.getMessage(), e);
        } catch (CertificateException e2) {
            throw new RuntimeException("Failed to create X.509 certificate factory: " + e2.getMessage(), e2);
        }
    }
}
