package org.dcache.xrootd.core;

import com.google.common.base.Strings;
import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Arrays;
import java.util.Formatter;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import org.dcache.xrootd.protocol.messages.ErrorResponse;
import org.dcache.xrootd.protocol.messages.SigverRequest;
import org.dcache.xrootd.protocol.messages.XrootdRequest;
import org.dcache.xrootd.security.BufferDecrypter;
import org.dcache.xrootd.security.SigningPolicy;

/* loaded from: input_file:org/dcache/xrootd/core/XrootdSigverDecoder.class */
public class XrootdSigverDecoder extends AbstractXrootdDecoder {
    private final BufferDecrypter decryptionHandler;
    private final SigningPolicy signingPolicy;
    private SigverRequest currentSigverRequest;
    private long lastSeqNo = -1;

    private static String printHex(byte[] bArr) {
        Formatter formatter = new Formatter();
        for (byte b : bArr) {
            formatter.format("%02x", Byte.valueOf(b));
        }
        return formatter.toString();
    }

    public XrootdSigverDecoder(SigningPolicy signingPolicy, BufferDecrypter bufferDecrypter) {
        this.signingPolicy = signingPolicy;
        this.decryptionHandler = bufferDecrypter;
    }

    protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) {
        int verifyMessageLength = verifyMessageLength(byteBuf);
        if (verifyMessageLength < 0) {
            channelHandlerContext.channel().close();
            return;
        }
        if (verifyMessageLength == 0) {
            return;
        }
        ByteBuf readSlice = byteBuf.readSlice(verifyMessageLength);
        XrootdRequest request = getRequest(readSlice);
        try {
            if (request instanceof SigverRequest) {
                setSigver((SigverRequest) request);
                return;
            }
            int requestId = request.getRequestId();
            if (this.signingPolicy.requiresSigning(request)) {
                verifySignedHash(request.getStreamId(), requestId, readSlice, channelHandlerContext);
            }
            list.add(request);
        } catch (XrootdException e) {
            channelHandlerContext.writeAndFlush(new ErrorResponse(request, e.getError(), Strings.nullToEmpty(e.getMessage()))).addListener(ChannelFutureListener.FIRE_EXCEPTION_ON_FAILURE);
        }
    }

    private void setSigver(SigverRequest sigverRequest) throws XrootdException {
        if (sigverRequest.getSeqno() <= this.lastSeqNo) {
            throw new XrootdException(3022, "signed hash verification: bad sequence number.");
        }
        if (sigverRequest.getVersion() != 0) {
            throw new XrootdException(3022, "signed hash verification: unsupported version number.");
        }
        if (sigverRequest.isRSAKey()) {
            throw new XrootdException(3022, "signed hash verification: unsupported use of RSA key.");
        }
        if (!sigverRequest.isSHA256()) {
            throw new XrootdException(3022, "signed hash verification: unsupported crypto hash.");
        }
        this.currentSigverRequest = sigverRequest;
    }

    private void verifySignedHash(int i, int i2, ByteBuf byteBuf, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        boolean isForceSigning = this.signingPolicy.isForceSigning();
        LOGGER.debug("calling verify signed hash for request {} on stream {}, force {}.", new Object[]{Integer.valueOf(i2), Integer.valueOf(i), Boolean.valueOf(isForceSigning)});
        if (this.currentSigverRequest == null) {
            if (this.decryptionHandler != null || isForceSigning) {
                throw new XrootdException(3022, "signed hash verification: did not receive preceding sigver request.");
            }
            LOGGER.debug("skipping verify signed hash for request {} on stream {}.", Integer.valueOf(i2), Integer.valueOf(i));
            return;
        }
        if (this.currentSigverRequest.getStreamId() != i) {
            throw new XrootdException(3022, "signed hash verification: stream id mismatch.");
        }
        if (this.currentSigverRequest.getExpectrid() != i2) {
            throw new XrootdException(3022, "signed hash verification: request id mismatch.");
        }
        byte[] bArr = null;
        if (this.decryptionHandler != null) {
            try {
                this.currentSigverRequest.decrypt(this.decryptionHandler);
                bArr = this.currentSigverRequest.getSignature();
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                throw new XrootdException(3023, e.toString());
            }
        } else if (isForceSigning) {
            bArr = this.currentSigverRequest.getSignature();
        }
        if (bArr != null) {
            compareHashes(bArr, generateHash(this.currentSigverRequest.getSeqno(), extractContents(i2, this.currentSigverRequest.getFlags(), byteBuf), channelHandlerContext));
        }
        LOGGER.debug("verify signed hash for request {} on stream {}, force {}, succeeded.", new Object[]{Integer.valueOf(i2), Integer.valueOf(i), Boolean.valueOf(isForceSigning)});
        updateSeqNo();
    }

    private void compareHashes(byte[] bArr, byte[] bArr2) throws XrootdException {
        if (bArr.length != bArr2.length) {
            LOGGER.info("compareHashes, different lengths:\n\treceived {}\n\tgenerated {}", printHex(bArr), printHex(bArr2));
            throw new XrootdException(3022, "signed hash verification: received hash length does not match generated hash.");
        }
        if (Arrays.equals(bArr, bArr2)) {
            return;
        }
        LOGGER.info("compareHashes, do not match:\n\treceived {}\n\tgenerated {}", printHex(bArr), printHex(bArr2));
        throw new XrootdException(3022, "signed hash verification: received hash does not match generated hash.");
    }

    private byte[] extractContents(int i, int i2, ByteBuf byteBuf) throws XrootdException {
        int readableBytes;
        if (i != 3019) {
            readableBytes = byteBuf.readableBytes();
        } else {
            if (i2 != 1) {
                throw new XrootdException(3022, "signed hash verification: kXR_nodata not set, cannot verify write request.");
            }
            readableBytes = 24;
        }
        byte[] bArr = new byte[readableBytes];
        byteBuf.getBytes(0, bArr);
        return bArr;
    }

    private byte[] generateHash(long j, byte[] bArr, ChannelHandlerContext channelHandlerContext) throws XrootdException {
        ByteBuf buffer = channelHandlerContext.alloc().buffer(8 + bArr.length);
        try {
            try {
                buffer.writeLong(j);
                buffer.writeBytes(bArr);
                byte[] bArr2 = new byte[buffer.readableBytes()];
                buffer.getBytes(0, bArr2);
                byte[] digest = MessageDigest.getInstance("SHA-256").digest(bArr2);
                buffer.release();
                return digest;
            } catch (NoSuchAlgorithmException e) {
                throw new XrootdException(3022, e.toString());
            }
        } catch (Throwable th) {
            buffer.release();
            throw th;
        }
    }

    private void updateSeqNo() {
        this.lastSeqNo = this.currentSigverRequest.getSeqno();
        this.currentSigverRequest = null;
    }
}
