package org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.pkinit;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.interfaces.DHPublicKey;
import org.apache.hadoop.shaded.org.apache.commons.lang3.time.DateUtils;
import org.apache.hadoop.shaded.org.apache.kerby.asn1.Asn1;
import org.apache.hadoop.shaded.org.apache.kerby.asn1.parse.Asn1Container;
import org.apache.hadoop.shaded.org.apache.kerby.asn1.parse.Asn1ParseResult;
import org.apache.hadoop.shaded.org.apache.kerby.asn1.type.Asn1Integer;
import org.apache.hadoop.shaded.org.apache.kerby.asn1.type.Asn1Object;
import org.apache.hadoop.shaded.org.apache.kerby.cms.type.CertificateChoices;
import org.apache.hadoop.shaded.org.apache.kerby.cms.type.CertificateSet;
import org.apache.hadoop.shaded.org.apache.kerby.cms.type.ContentInfo;
import org.apache.hadoop.shaded.org.apache.kerby.cms.type.EncapsulatedContentInfo;
import org.apache.hadoop.shaded.org.apache.kerby.cms.type.SignedData;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.crypto.dh.DiffieHellmanServer;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.CheckSum;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.KdcOption;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.DhRepInfo;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator;
import org.apache.hadoop.shaded.org.apache.kerby.x509.type.DhParameter;
import org.apache.hadoop.shaded.org.apache.kerby.x509.type.SubjectPublicKeyInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/shaded/org/apache/kerby/kerberos/kerb/server/preauth/pkinit/PkinitPreauth.class */
public class PkinitPreauth extends AbstractPreauthPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(PkinitPreauth.class);
    private final Map<String, PkinitKdcContext> pkinitContexts;

    public PkinitPreauth() {
        super(new PkinitPreauthMeta());
        this.pkinitContexts = new HashMap(1);
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin, org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.KdcPreauth
    public void initWith(KdcContext kdcContext) {
        super.initWith(kdcContext);
        PkinitKdcContext pkinitKdcContext = new PkinitKdcContext();
        pkinitKdcContext.realm = kdcContext.getKdcRealm();
        pkinitKdcContext.identityOpts.identity = kdcContext.getConfig().getPkinitIdentity();
        this.pkinitContexts.put(kdcContext.getKdcRealm(), pkinitKdcContext);
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin, org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.KdcPreauth
    public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
        return new PkinitRequestContext();
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin, org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.preauth.KdcPreauth
    public boolean verify(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaDataEntry paDataEntry) throws KrbException {
        AuthPack authPack;
        LOG.info("pkinit verify padata: entered!");
        PkinitRequestContext pkinitRequestContext = (PkinitRequestContext) pluginRequestContext;
        PrincipalName principal = kdcRequest.getServerEntry().getPrincipal();
        kdcRequest.setServerPrincipal(principal);
        PkinitKdcContext findContext = findContext(principal);
        if (findContext == null) {
            return false;
        }
        pkinitRequestContext.paType = paDataEntry.getPaDataType();
        if (paDataEntry.getPaDataType() != PaDataType.PK_AS_REQ) {
            return true;
        }
        LOG.info("processing PK_AS_REQ");
        byte[] signedAuthPack = ((PaPkAsReq) KrbCodec.decode(paDataEntry.getPaDataValue(), PaPkAsReq.class)).getSignedAuthPack();
        if (kdcRequest.isAnonymous()) {
            EncapsulatedContentInfo encapsulatedContentInfo = new EncapsulatedContentInfo();
            try {
                encapsulatedContentInfo.decode(signedAuthPack);
            } catch (IOException e) {
                LOG.error("Fail to decode signedAuthPack. " + e);
            }
            authPack = (AuthPack) KrbCodec.decode(encapsulatedContentInfo.getContent(), AuthPack.class);
        } else {
            ContentInfo contentInfo = new ContentInfo();
            try {
                contentInfo.decode(signedAuthPack);
            } catch (IOException e2) {
                LOG.error("Fail to decode signedAuthPack");
            }
            SignedData signedData = (SignedData) contentInfo.getContentAs(SignedData.class);
            PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_CLIENT, signedData);
            if (Boolean.valueOf(signedData.isSigned()).booleanValue()) {
                LOG.info("Signed data.");
            } else {
                PrincipalName principal2 = kdcRequest.getClientEntry().getPrincipal();
                PrincipalName makeAnonymousPrincipal = KrbUtil.makeAnonymousPrincipal();
                if (kdcRequest.getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS) && !KrbUtil.pricipalCompareIgnoreRealm(principal2, makeAnonymousPrincipal)) {
                    LOG.error("Pkinit request not signed, but client not anonymous.");
                    throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED, "Pkinit request not signed, but client not anonymous.");
                }
            }
            authPack = (AuthPack) KrbCodec.decode(signedData.getEncapContentInfo().getContent(), AuthPack.class);
        }
        PkAuthenticator pkAuthenticator = authPack.getPkAuthenticator();
        checkClockskew(kdcRequest, pkAuthenticator.getCtime());
        byte[] bArr = null;
        if (kdcRequest.getReqPackage() == null) {
            LOG.error("ReqBodyBytes isn't available");
            return false;
        }
        Asn1Object asn1Object = null;
        try {
            asn1Object = Asn1.parse(kdcRequest.getReqPackage());
        } catch (IOException e3) {
            LOG.error("Fail to parse reqPackage. " + e3);
        }
        List<Asn1ParseResult> children = ((Asn1Container) ((Asn1Container) asn1Object).getChildren().get(0)).getChildren();
        if (children.size() > 3) {
            ByteBuffer bodyBuffer = children.get(3).getBodyBuffer();
            bArr = new byte[bodyBuffer.remaining()];
            bodyBuffer.get(bArr);
        }
        CheckSum checkSum = null;
        try {
            checkSum = CheckSumUtil.makeCheckSum(CheckSumType.NIST_SHA, bArr);
        } catch (KrbException e4) {
            LOG.error("Unable to calculate AS REQ checksum.", e4.getMessage());
        }
        byte[] paChecksum = pkAuthenticator.getPaChecksum();
        if (checkSum.getChecksum().length != paChecksum.length || !Arrays.equals(checkSum.getChecksum(), paChecksum)) {
            LOG.debug("received checksum length: " + paChecksum.length + ", expected checksum type: " + checkSum.getCksumtype() + ", expected checksum length: " + checkSum.encodingLength());
            LOG.error("Failed to match the checksum.");
            throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED, "Failed to match the checksum.");
        }
        SubjectPublicKeyInfo clientPublicValue = authPack.getClientPublicValue();
        if (clientPublicValue.getSubjectPubKey() == null) {
            if (kdcRequest.isAnonymous()) {
                System.out.println("rsa");
                return true;
            }
            LOG.error("Anonymous pkinit without DH public value not supported.");
            throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED, "Anonymous pkinit without DH public value not supported.");
        }
        DhParameter dhParameter = (DhParameter) authPack.getClientPublicValue().getAlgorithm().getParametersAs(DhParameter.class);
        PkinitCrypto.serverCheckDH(findContext.pluginOpts, findContext.cryptoctx, dhParameter);
        DHPublicKey createDHPublicKey = PkinitCrypto.createDHPublicKey(dhParameter.getP(), dhParameter.getG(), ((Asn1Integer) KrbCodec.decode(clientPublicValue.getSubjectPubKey().getValue(), Asn1Integer.class)).getValue());
        DiffieHellmanServer diffieHellmanServer = new DiffieHellmanServer();
        DHPublicKey dHPublicKey = null;
        try {
            dHPublicKey = (DHPublicKey) diffieHellmanServer.initAndDoPhase(createDHPublicKey.getEncoded());
        } catch (Exception e5) {
            LOG.error("Fail to create server public key.", e5);
        }
        kdcRequest.setClientKey(diffieHellmanServer.generateKey(null, null, kdcRequest.getEncryptionType()));
        kdcRequest.getPreauthContext().getOutputPaData().add(makeEntry(makePaPkAsRep(dHPublicKey, findContext.identityOpts.identity)));
        return true;
    }

    private PkinitKdcContext findContext(PrincipalName principalName) {
        String realm = principalName.getRealm();
        if (this.pkinitContexts.containsKey(realm)) {
            return this.pkinitContexts.get(realm);
        }
        return null;
    }

    private PaDataEntry makeEntry(PaPkAsRep paPkAsRep) throws KrbException {
        PaDataEntry paDataEntry = new PaDataEntry();
        paDataEntry.setPaDataType(PaDataType.PK_AS_REP);
        try {
            paDataEntry.setPaDataValue(paPkAsRep.encode());
        } catch (IOException e) {
            LOG.error("Fail to encode PaDataEntry. " + e);
        }
        return paDataEntry;
    }

    private PaPkAsRep makePaPkAsRep(DHPublicKey dHPublicKey, String str) throws KrbException {
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            Iterator it = Arrays.asList(str.split(",")).iterator();
            while (it.hasNext()) {
                try {
                    List<Certificate> loadCerts = CertificateHelper.loadCerts((String) it.next());
                    if (!loadCerts.isEmpty()) {
                        arrayList.add((X509Certificate) loadCerts.iterator().next());
                    }
                } catch (KrbException e) {
                    LOG.warn("Error loading X.509 Certificate", e);
                }
            }
        } else {
            LOG.warn("No PKINIT identity keys specified");
        }
        PaPkAsRep paPkAsRep = new PaPkAsRep();
        DhRepInfo dhRepInfo = new DhRepInfo();
        KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
        kdcDhKeyInfo.setSubjectPublicKey(KrbCodec.encode(new Asn1Integer(dHPublicKey.getY())));
        kdcDhKeyInfo.setNonce(0);
        kdcDhKeyInfo.setDHKeyExpiration(new KerberosTime(System.currentTimeMillis() + DateUtils.MILLIS_PER_DAY));
        CertificateSet certificateSet = new CertificateSet();
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            org.apache.hadoop.shaded.org.apache.kerby.x509.type.Certificate changeToCertificate = PkinitCrypto.changeToCertificate((X509Certificate) it2.next());
            CertificateChoices certificateChoices = new CertificateChoices();
            certificateChoices.setCertificate(changeToCertificate);
            certificateSet.addElement(certificateChoices);
        }
        dhRepInfo.setDHSignedData(PkinitCrypto.cmsSignedDataCreate(KrbCodec.encode(kdcDhKeyInfo), PkinitPlgCryptoContext.getIdPkinitDHKeyDataOID(), 3, null, certificateSet, null, null));
        paPkAsRep.setDHRepInfo(dhRepInfo);
        return paPkAsRep;
    }

    private boolean checkClockskew(KdcRequest kdcRequest, KerberosTime kerberosTime) throws KrbException {
        if (kerberosTime.isInClockSkew(kdcRequest.getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {
            return true;
        }
        throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED);
    }
}
