package io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit;

import io.hops.hadoop.shaded.org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.CertificateSet;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.DigestAlgorithmIdentifiers;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.EncapsulatedContentInfo;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.RevocationInfoChoices;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.SignedContentInfo;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.SignedData;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.SignerInfos;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbCodec;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbErrorCode;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbException;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import io.hops.hadoop.shaded.org.apache.kerby.util.HexUtil;
import io.hops.hadoop.shaded.org.apache.kerby.x509.type.Certificate;
import io.hops.hadoop.shaded.org.apache.kerby.x509.type.DhParameter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-client-runtime-3.2.0.6-EE-SNAPSHOT.jar:io/hops/hadoop/shaded/org/apache/kerby/kerberos/kerb/preauth/pkinit/PkinitCrypto.class */
public class PkinitCrypto {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PkinitCrypto.class);

    public static void verifyCmsSignedData(CmsMessageType cmsMessageType, SignedData signedData) throws KrbException {
        String pkinitType2OID = pkinitType2OID(cmsMessageType);
        if (pkinitType2OID == null) {
            throw new KrbException("Can't get the right oid ");
        }
        if (pkinitType2OID.equals(signedData.getEncapContentInfo().getContentType())) {
            LOG.info("CMS Verification successful");
        } else {
            LOG.error("Wrong oid in eContentType");
            throw new KrbException(KrbErrorCode.KDC_ERR_PREAUTH_FAILED, "Wrong oid in eContentType");
        }
    }

    public static String pkinitType2OID(CmsMessageType cmsMessageType) {
        switch (cmsMessageType) {
            case UNKNOWN:
                return null;
            case CMS_SIGN_CLIENT:
                return PkinitPlgCryptoContext.getIdPkinitAuthDataOID();
            case CMS_SIGN_SERVER:
                return PkinitPlgCryptoContext.getIdPkinitDHKeyDataOID();
            case CMS_ENVEL_SERVER:
                return PkinitPlgCryptoContext.getIdPkinitRkeyDataOID();
            default:
                return null;
        }
    }

    public static void serverCheckDH(PluginOpts pluginOpts, PkinitPlgCryptoContext pkinitPlgCryptoContext, DhParameter dhParameter) throws KrbException {
        int bitLength = dhParameter.getP().bitLength();
        if (bitLength < pluginOpts.dhMinBits) {
            String str = "client sent dh params with " + bitLength + "bits, we require " + pluginOpts.dhMinBits;
            LOG.error(str);
            throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, str);
        }
        if (!checkDHWellknown(pkinitPlgCryptoContext, dhParameter, bitLength)) {
            throw new KrbException(KrbErrorCode.KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED);
        }
    }

    public static boolean checkDHWellknown(PkinitPlgCryptoContext pkinitPlgCryptoContext, DhParameter dhParameter, int i) throws KrbException {
        boolean z = false;
        switch (i) {
            case 1024:
            case 2048:
            case 4096:
                z = pkinitCheckDhParams(pkinitPlgCryptoContext.createDHParameterSpec(i), dhParameter);
                break;
        }
        return z;
    }

    public static boolean pkinitCheckDhParams(DHParameterSpec dHParameterSpec, DhParameter dhParameter) {
        if (!dHParameterSpec.getP().equals(dhParameter.getP())) {
            LOG.error("p is not well-known group dhparameter");
            return false;
        }
        if (dHParameterSpec.getG().equals(dhParameter.getG())) {
            LOG.info("Good dhparams", Integer.valueOf(dHParameterSpec.getP().bitLength()));
            return true;
        }
        LOG.error("bad g dhparameter");
        return false;
    }

    public static DHPublicKey createDHPublicKey(BigInteger bigInteger, BigInteger bigInteger2, BigInteger bigInteger3) {
        DHPublicKeySpec dHPublicKeySpec = new DHPublicKeySpec(bigInteger3, bigInteger, bigInteger2);
        KeyFactory keyFactory = null;
        try {
            keyFactory = KeyFactory.getInstance("DH");
        } catch (NoSuchAlgorithmException e) {
            LOG.error("Fail to get dh instance. " + e);
        }
        DHPublicKey dHPublicKey = null;
        if (keyFactory != null) {
            try {
                dHPublicKey = (DHPublicKey) keyFactory.generatePublic(dHPublicKeySpec);
            } catch (InvalidKeySpecException e2) {
                LOG.error("Fail to generate public key. " + e2);
            }
        }
        return dHPublicKey;
    }

    public static byte[] cmsSignedDataCreate(byte[] bArr, String str, int i, DigestAlgorithmIdentifiers digestAlgorithmIdentifiers, CertificateSet certificateSet, RevocationInfoChoices revocationInfoChoices, SignerInfos signerInfos) throws KrbException {
        SignedContentInfo signedContentInfo = new SignedContentInfo();
        signedContentInfo.setContentType("1.2.840.113549.1.7.2");
        SignedData signedData = new SignedData();
        signedData.setVersion(i);
        if (digestAlgorithmIdentifiers != null) {
            signedData.setDigestAlgorithms(digestAlgorithmIdentifiers);
        }
        EncapsulatedContentInfo encapsulatedContentInfo = new EncapsulatedContentInfo();
        encapsulatedContentInfo.setContentType(str);
        encapsulatedContentInfo.setContent(bArr);
        signedData.setEncapContentInfo(encapsulatedContentInfo);
        if (certificateSet != null) {
            signedData.setCertificates(certificateSet);
        }
        if (revocationInfoChoices != null) {
            signedData.setCrls(revocationInfoChoices);
        }
        if (signerInfos != null) {
            signedData.setSignerInfos(signerInfos);
        }
        signedContentInfo.setSignedData(signedData);
        return KrbCodec.encode(signedContentInfo);
    }

    public static byte[] eContentInfoCreate(byte[] bArr, String str) throws KrbException {
        EncapsulatedContentInfo encapsulatedContentInfo = new EncapsulatedContentInfo();
        encapsulatedContentInfo.setContentType(str);
        encapsulatedContentInfo.setContent(bArr);
        return KrbCodec.encode(encapsulatedContentInfo);
    }

    public static X509Certificate[] createCertChain(PkinitPlgCryptoContext pkinitPlgCryptoContext) throws CertificateNotYetValidException, CertificateExpiredException {
        LOG.info("Building certificate chain.");
        return new X509Certificate[3];
    }

    public static boolean verifyKdcSan(String str, PrincipalName principalName, List<Certificate> list) throws KrbException {
        if (str == null) {
            LOG.info("No pkinit_kdc_hostname values found in config file");
        } else {
            LOG.info("pkinit_kdc_hostname values found in config file");
        }
        try {
            List<PrincipalName> cryptoRetrieveCertSans = cryptoRetrieveCertSans(list);
            if (cryptoRetrieveCertSans == null) {
                return false;
            }
            Iterator<PrincipalName> it = cryptoRetrieveCertSans.iterator();
            while (it.hasNext()) {
                LOG.info("PKINIT client found id-pkinit-san in KDC cert: " + it.next().getName());
            }
            LOG.info("Checking pkinit sans.");
            if (cryptoRetrieveCertSans.contains(principalName)) {
                LOG.info("pkinit san match found");
                return true;
            }
            LOG.info("no pkinit san match found");
            return false;
        } catch (KrbException e) {
            String str2 = "PKINIT client failed to decode SANs in KDC cert." + e;
            LOG.error(str2);
            throw new KrbException(KrbErrorCode.KDC_NAME_MISMATCH, str2);
        }
    }

    public static List<PrincipalName> cryptoRetrieveCertSans(List<Certificate> list) throws KrbException {
        if (list.size() != 0) {
            return cryptoRetrieveX509Sans(list);
        }
        LOG.info("no certificate!");
        return null;
    }

    public static List<PrincipalName> cryptoRetrieveX509Sans(List<Certificate> list) throws KrbException {
        ArrayList arrayList = new ArrayList();
        Iterator<Certificate> it = list.iterator();
        while (it.hasNext()) {
            LOG.info("Looking for SANs in cert: " + it.next().getTBSCertificate().getSubject());
        }
        return arrayList;
    }

    public static void validateChain(List<Certificate> list, X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, CertPathValidatorException, IOException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<Certificate> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(it.next().encode())));
        }
        CertPath generateCertPath = certificateFactory.generateCertPath(arrayList);
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Certificate, null)));
        pKIXParameters.setRevocationEnabled(false);
        certPathValidator.validate(generateCertPath, pKIXParameters);
    }

    public static Asn1ObjectIdentifier createOid(String str) throws KrbException {
        Asn1ObjectIdentifier asn1ObjectIdentifier = new Asn1ObjectIdentifier();
        asn1ObjectIdentifier.useDER();
        KrbCodec.decode(HexUtil.hex2bytesFriendly(str), asn1ObjectIdentifier);
        return asn1ObjectIdentifier;
    }

    public static Certificate changeToCertificate(X509Certificate x509Certificate) {
        Certificate certificate = new Certificate();
        try {
            certificate.decode(x509Certificate.getEncoded());
        } catch (IOException e) {
            LOG.error("Fail to decode certificate. " + e);
        } catch (CertificateEncodingException e2) {
            LOG.error("Fail to encode x509 certificate. " + e2);
        }
        return certificate;
    }
}
