package org.dcache.xrootd.plugins.authn.gsi.pre49;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucket;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketUtils;
import org.dcache.xrootd.plugins.authn.gsi.GSICredentialManager;
import org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler;
import org.dcache.xrootd.plugins.authn.gsi.NestedBucketBuffer;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.OkResponse;
import org.dcache.xrootd.protocol.messages.XrootdResponse;
import org.dcache.xrootd.security.XrootdSecurityProtocol;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/pre49/GSIPre49ServerRequestHandler.class */
public class GSIPre49ServerRequestHandler extends GSIServerRequestHandler {
    public GSIPre49ServerRequestHandler(Subject subject, GSICredentialManager gSICredentialManager) throws XrootdException {
        super(subject, gSICredentialManager);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    public int getProtocolVersion() {
        return GSIRequestHandler.PROTO_PRE_DELEGATION;
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException {
        return handleCertReqStep(authenticationRequest, bucketData, false, XrootdSecurityProtocol.BucketType.kXRS_puk);
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleCertStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException {
        try {
            Map<XrootdSecurityProtocol.BucketType, GSIBucket> bucketMap = bucketData.getBucketMap();
            validateCiphers(bucketMap);
            validateDigests(bucketMap);
            finalizeSessionKey(bucketMap, XrootdSecurityProtocol.BucketType.kXRS_puk);
            NestedBucketBuffer decryptMainBucketWithSessionKey = decryptMainBucketWithSessionKey(bucketMap, "kXGC_cert");
            X509Certificate[] processRSAVerification = processRSAVerification(decryptMainBucketWithSessionKey.getNestedBuckets(), Optional.empty());
            this.subject.getPublicCredentials().add(processRSAVerification);
            this.rsaSession.initializeForDecryption(processRSAVerification[0].getPublicKey());
            verifySignedRTag(decryptMainBucketWithSessionKey.getNestedBuckets());
            return new OkResponse(authenticationRequest);
        } catch (IOException e) {
            LOGGER.error("Could not deserialize main nested buffer {}", e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(10007, "Could not decrypt encrypted client message.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("The key negotiated by DH key exchange appears to be invalid: {}", e2.getMessage());
            throw new XrootdException(3023, "Could not decrypt clientinformation with negotiated key.");
        } catch (GeneralSecurityException e3) {
            LOGGER.error("Error during decrypting/server-side key exchange: {}", e3.getMessage());
            throw new XrootdException(3023, "Error in server-side cryptographic operations.");
        }
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public XrootdResponse<AuthenticationRequest> handleSigPxyStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException {
        throw new XrootdException(10026, "proxy request signing step not supported.");
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIServerRequestHandler
    public boolean isFinished(GSIBucketUtils.BucketData bucketData) {
        return 1001 == bucketData.getStep();
    }

    @Override // org.dcache.xrootd.plugins.authn.gsi.GSIRequestHandler
    protected String getSyncCipherMode() {
        return GSIRequestHandler.SYNC_CIPHER_MODE_PADDED;
    }
}
