package org.dcache.xrootd.plugins.authn.gsi;

import eu.emi.security.authn.x509.impl.PEMCredential;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.cert.CertificateEncodingException;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.Subject;
import org.dcache.xrootd.core.XrootdException;
import org.dcache.xrootd.plugins.authn.gsi.GSIBucketUtils;
import org.dcache.xrootd.protocol.messages.AuthenticationRequest;
import org.dcache.xrootd.protocol.messages.AuthenticationResponse;
import org.dcache.xrootd.protocol.messages.XrootdResponse;
import org.dcache.xrootd.security.BufferDecrypter;
import org.dcache.xrootd.security.XrootdSecurityProtocol;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIServerRequestHandler.class */
public abstract class GSIServerRequestHandler extends GSIRequestHandler {
    protected static Logger LOGGER = LoggerFactory.getLogger(GSIServerRequestHandler.class);
    protected final Subject subject;

    /* loaded from: input_file:org/dcache/xrootd/plugins/authn/gsi/GSIServerRequestHandler$CertRequestBuckets.class */
    protected class CertRequestBuckets extends GSIBucketContainerBuilder {
        GSIBucket mainBucket;
        RawBucket dhPublicBucket;
        StringBucket cryptoBucket;
        StringBucket cipherBucket;
        StringBucket digestBucket;
        StringBucket hostCertBucket;

        public CertRequestBuckets(GSIBucket gSIBucket, String str, byte[] bArr, XrootdSecurityProtocol.BucketType bucketType, String str2, String str3, String str4) {
            this.mainBucket = gSIBucket;
            this.cryptoBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cryptomod, str);
            this.dhPublicBucket = new RawBucket(bucketType, bArr);
            this.cipherBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg, str2);
            this.digestBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_md_alg, str3);
            this.hostCertBucket = new StringBucket(XrootdSecurityProtocol.BucketType.kXRS_x509, str4);
        }

        @Override // org.dcache.xrootd.plugins.authn.gsi.GSIBucketContainerBuilder
        public GSIBucketContainer buildContainer() {
            return build(this.mainBucket, this.cryptoBucket, this.dhPublicBucket, this.cipherBucket, this.digestBucket, this.hostCertBucket);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public GSIServerRequestHandler(Subject subject, GSICredentialManager gSICredentialManager) throws XrootdException {
        super(gSICredentialManager);
        this.subject = subject;
        try {
            this.dhSession = new DHSession(true, getProtocolVersion() < 10400 ? 0 : 16);
        } catch (GeneralSecurityException e) {
            LOGGER.error("Error setting up cryptographic classes: {}", e.getMessage());
            throw new XrootdException(10024, "dCache GSI module probably misconfigured.");
        }
    }

    public BufferDecrypter getDecrypter() {
        return this.bufferHandler;
    }

    public void cancelHandshake() {
        this.credentialManager.cancelOutstandingProxyRequest();
    }

    public abstract XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException;

    public abstract XrootdResponse<AuthenticationRequest> handleCertStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException;

    public abstract XrootdResponse<AuthenticationRequest> handleSigPxyStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData) throws XrootdException;

    public abstract boolean isFinished(GSIBucketUtils.BucketData bucketData);

    /* JADX INFO: Access modifiers changed from: protected */
    public XrootdResponse<AuthenticationRequest> handleCertReqStep(AuthenticationRequest authenticationRequest, GSIBucketUtils.BucketData bucketData, boolean z, XrootdSecurityProtocol.BucketType bucketType) throws XrootdException {
        try {
            Map<XrootdSecurityProtocol.BucketType, GSIBucket> bucketMap = bucketData.getBucketMap();
            validateCryptoMode(((StringBucket) bucketMap.get(XrootdSecurityProtocol.BucketType.kXRS_cryptomod)).getContent());
            this.credentialManager.checkCaIdentities(((StringBucket) bucketMap.get(XrootdSecurityProtocol.BucketType.kXRS_issuer_hash)).getContent().split("[|]"));
            PEMCredential hostCredential = this.credentialManager.getHostCredential();
            this.rsaSession.initializeForEncryption(hostCredential.getKey());
            GSIBucketContainer buildContainer = new CertRequestBuckets(postProcessMainBucket(((NestedBucketBuffer) bucketMap.get(XrootdSecurityProtocol.BucketType.kXRS_main)).getNestedBuckets(), Optional.empty(), 2001), GSIRequestHandler.CRYPTO_MODE, dhParams(z), bucketType, GSIRequestHandler.SUPPORTED_CIPHER_ALGORITHM, GSIRequestHandler.SUPPORTED_DIGESTS, encodedHostCert(hostCredential)).buildContainer();
            return new AuthenticationResponse(authenticationRequest, 4002, GSIBucketUtils.getLengthForRequest(buildContainer), new GSIBucketUtils.BucketSerializerBuilder().withStreamId(Integer.valueOf(authenticationRequest.getStreamId())).withRequestId(4002).withProtocol(GSIRequestHandler.PROTOCOL).withStep(2001).withStepName(XrootdSecurityProtocol.getServerStep(2001)).withBuckets(buildContainer.getBuckets()).withTitle("//               Authentication Response").build());
        } catch (IOException | GeneralSecurityException e) {
            LOGGER.error("Problems during signing of client authN tag (algorithm {}): {}", GSIRequestHandler.ASYNC_CIPHER_MODE, e.getMessage() == null ? e.getClass().getName() : e.getMessage());
            throw new XrootdException(10026, "Error when trying to sign client authentication tag.");
        } catch (InvalidKeyException e2) {
            LOGGER.error("Configured host-key could not be used for signing: {}", e2.getMessage());
            throw new XrootdException(10026, "Error when trying to sign client authentication tag.");
        } catch (CertificateEncodingException e3) {
            LOGGER.error("Could not extract contents of server certificate: {}", e3.getMessage());
            throw new XrootdException(10026, "Error when trying to send server certificate.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String validateCiphers(Map<XrootdSecurityProtocol.BucketType, GSIBucket> map) throws XrootdException {
        return validateCiphers(((StringBucket) map.get(XrootdSecurityProtocol.BucketType.kXRS_cipher_alg)).getContent().split("[:]"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String validateDigests(Map<XrootdSecurityProtocol.BucketType, GSIBucket> map) throws XrootdException {
        return validateDigests(((StringBucket) map.get(XrootdSecurityProtocol.BucketType.kXRS_md_alg)).getContent().split("[:]"));
    }

    private String encodedHostCert(PEMCredential pEMCredential) throws CertificateEncodingException {
        LOGGER.debug("Getting encoded host certificate from PEM credential.");
        return CertUtil.certToPEM(pEMCredential.getCertificate());
    }
}
