package io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.pkinit;

import io.hops.hadoop.shaded.org.apache.kerby.KOptions;
import io.hops.hadoop.shaded.org.apache.kerby.asn1.type.Asn1Integer;
import io.hops.hadoop.shaded.org.apache.kerby.asn1.type.Asn1ObjectIdentifier;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.CertificateChoices;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.CertificateSet;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.ContentInfo;
import io.hops.hadoop.shaded.org.apache.kerby.cms.type.SignedData;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbCodec;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbErrorCode;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbException;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.KrbContext;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.PkinitOption;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.request.KdcRequest;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.KrbUtil;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.crypto.dh.DhGroup;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.crypto.dh.DiffieHellmanClient;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.PaFlag;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.PaFlags;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.CertificateHelper;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.CmsMessageType;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitCrypto;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitIdenity;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPlgCryptoContext;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.preauth.pkinit.PkinitPreauthMeta;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.KerberosTime;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.CheckSum;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaData;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.AuthPack;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.KdcDhKeyInfo;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsRep;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PaPkAsReq;
import io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.pkinit.PkAuthenticator;
import io.hops.hadoop.shaded.org.apache.kerby.x509.type.AlgorithmIdentifier;
import io.hops.hadoop.shaded.org.apache.kerby.x509.type.DhParameter;
import io.hops.hadoop.shaded.org.apache.kerby.x509.type.SubjectPublicKeyInfo;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-client-runtime-3.2.0.0-RC2.jar:io/hops/hadoop/shaded/org/apache/kerby/kerberos/kerb/client/preauth/pkinit/PkinitPreauth.class */
public class PkinitPreauth extends AbstractPreauthPlugin {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PkinitPreauth.class);
    private PkinitContext pkinitContext;

    public PkinitPreauth() {
        super(new PkinitPreauthMeta());
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public void init(KrbContext krbContext) {
        super.init(krbContext);
        this.pkinitContext = new PkinitContext();
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public PluginRequestContext initRequestContext(KdcRequest kdcRequest) {
        PkinitRequestContext pkinitRequestContext = new PkinitRequestContext();
        pkinitRequestContext.updateRequestOpts(this.pkinitContext.pluginOpts);
        return pkinitRequestContext;
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public void setPreauthOptions(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, KOptions kOptions) {
        if (kOptions.contains(PkinitOption.X509_IDENTITY)) {
            this.pkinitContext.identityOpts.identity = kOptions.getStringOption(PkinitOption.X509_IDENTITY);
        }
        if (kOptions.contains(PkinitOption.X509_ANCHORS)) {
            String stringOption = kOptions.getStringOption(PkinitOption.X509_ANCHORS);
            this.pkinitContext.identityOpts.anchors.addAll(stringOption == null ? kdcRequest.getContext().getConfig().getPkinitAnchors() : Arrays.asList(stringOption));
        }
        if (kOptions.contains(PkinitOption.USING_RSA)) {
            this.pkinitContext.pluginOpts.usingRsa = kOptions.getBooleanOption(PkinitOption.USING_RSA, true);
        }
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public void prepareQuestions(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext) {
        PkinitRequestContext pkinitRequestContext = (PkinitRequestContext) pluginRequestContext;
        if (pkinitRequestContext.identityInitialized) {
            return;
        }
        PkinitIdenity.initialize(pkinitRequestContext.identityOpts, kdcRequest.getClientPrincipal());
        pkinitRequestContext.identityInitialized = true;
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public void tryFirst(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaData paData) throws KrbException {
        int chosenNonce = kdcRequest.getChosenNonce();
        long currentTimeMillis = System.currentTimeMillis();
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(new Date(currentTimeMillis));
        try {
            paData.addElement(makeEntry(makePaPkAsReq(kdcRequest, (PkinitRequestContext) pluginRequestContext, calendar.get(13), new KerberosTime(currentTimeMillis), chosenNonce, CheckSumUtil.makeCheckSum(CheckSumType.NIST_SHA, KrbCodec.encode(kdcRequest.getKdcReq().getReqBody())))));
        } catch (KrbException e) {
            throw new KrbException("Fail to encode checksum.", e);
        }
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public boolean process(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaDataEntry paDataEntry, PaData paData) throws KrbException {
        PkinitRequestContext pkinitRequestContext = (PkinitRequestContext) pluginRequestContext;
        if (paDataEntry == null) {
            return false;
        }
        boolean z = false;
        switch (paDataEntry.getPaDataType()) {
            case PK_AS_REQ:
                z = true;
                break;
        }
        if (z) {
            generateRequest(pkinitRequestContext, kdcRequest, paData);
            return true;
        }
        processReply(kdcRequest, pkinitRequestContext, paDataEntry, kdcRequest.getEncType());
        return true;
    }

    private void generateRequest(PkinitRequestContext pkinitRequestContext, KdcRequest kdcRequest, PaData paData) {
    }

    private PaPkAsReq makePaPkAsReq(KdcRequest kdcRequest, PkinitRequestContext pkinitRequestContext, int i, KerberosTime kerberosTime, int i2, CheckSum checkSum) throws KrbException {
        LOG.info("Making the PK_AS_REQ.");
        PaPkAsReq paPkAsReq = new PaPkAsReq();
        AuthPack authPack = new AuthPack();
        PkAuthenticator pkAuthenticator = new PkAuthenticator();
        boolean z = this.pkinitContext.pluginOpts.usingRsa;
        pkinitRequestContext.paType = PaDataType.PK_AS_REQ;
        pkAuthenticator.setCusec(i);
        pkAuthenticator.setCtime(kerberosTime);
        pkAuthenticator.setNonce(i2);
        pkAuthenticator.setPaChecksum(checkSum.getChecksum());
        authPack.setPkAuthenticator(pkAuthenticator);
        authPack.setsupportedCmsTypes(this.pkinitContext.pluginOpts.createSupportedCMSTypes());
        if (z) {
            LOG.info("RSA key transport algorithm");
        } else {
            LOG.info("DH key transport algorithm.");
            Asn1ObjectIdentifier createOid = PkinitCrypto.createOid("0x06 07 2A 86 48 ce 3e 02 01");
            AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier();
            algorithmIdentifier.setAlgorithm(createOid.getValue());
            DiffieHellmanClient diffieHellmanClient = new DiffieHellmanClient();
            DHPublicKey dHPublicKey = null;
            try {
                dHPublicKey = diffieHellmanClient.init(DhGroup.MODP_GROUP2);
            } catch (Exception e) {
                LOG.error("DiffieHellmanClient init with failure. " + e);
            }
            pkinitRequestContext.setDhClient(diffieHellmanClient);
            DHParameterSpec dHParameterSpec = null;
            try {
                dHParameterSpec = dHPublicKey.getParams();
            } catch (Exception e2) {
                LOG.error("Fail to get params from client public key. " + e2);
            }
            BigInteger shiftRight = dHParameterSpec.getP().shiftRight(1);
            DhParameter dhParameter = new DhParameter();
            dhParameter.setP(dHParameterSpec.getP());
            dhParameter.setG(dHParameterSpec.getG());
            dhParameter.setQ(shiftRight);
            algorithmIdentifier.setParameters(dhParameter);
            SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo();
            subjectPublicKeyInfo.setAlgorithm(algorithmIdentifier);
            subjectPublicKeyInfo.setSubjectPubKey(KrbCodec.encode(new Asn1Integer(dHPublicKey.getY())));
            authPack.setClientPublicValue(subjectPublicKeyInfo);
            paPkAsReq.setSignedAuthPack(signAuthPack(authPack));
        }
        paPkAsReq.setTrustedCertifiers(this.pkinitContext.pluginOpts.createTrustedCertifiers());
        return paPkAsReq;
    }

    private byte[] signAuthPack(AuthPack authPack) throws KrbException {
        return PkinitCrypto.eContentInfoCreate(KrbCodec.encode(authPack), PkinitPlgCryptoContext.getIdPkinitAuthDataOID());
    }

    private void processReply(KdcRequest kdcRequest, PkinitRequestContext pkinitRequestContext, PaDataEntry paDataEntry, EncryptionType encryptionType) throws KrbException {
        if (paDataEntry.getPaDataType() == PaDataType.PK_AS_REP) {
            LOG.info("processing PK_AS_REP");
            byte[] dHSignedData = ((PaPkAsRep) KrbCodec.decode(paDataEntry.getPaDataValue(), PaPkAsRep.class)).getDHRepInfo().getDHSignedData();
            ContentInfo contentInfo = new ContentInfo();
            try {
                contentInfo.decode(dHSignedData);
            } catch (IOException e) {
                LOG.error("Fail to decode dhSignedData. " + e);
            }
            SignedData signedData = (SignedData) contentInfo.getContentAs(SignedData.class);
            PkinitCrypto.verifyCmsSignedData(CmsMessageType.CMS_SIGN_SERVER, signedData);
            if (kdcRequest.getContext().getConfig().getPkinitAnchors().isEmpty()) {
                LOG.error("No PKINIT anchors specified");
                throw new KrbException("No PKINIT anchors specified");
            }
            X509Certificate x509Certificate = null;
            try {
                List<Certificate> loadCerts = CertificateHelper.loadCerts(kdcRequest.getContext().getConfig().getPkinitAnchors().get(0));
                if (loadCerts != null && !loadCerts.isEmpty()) {
                    x509Certificate = (X509Certificate) loadCerts.iterator().next();
                }
            } catch (KrbException e2) {
                LOG.error("Fail to load certs from archor file. " + e2);
            }
            if (x509Certificate == null) {
                LOG.error("Failed to load PKINIT anchor");
                throw new KrbException("Failed to load PKINIT anchor");
            }
            CertificateSet certificates = signedData.getCertificates();
            if (certificates == null || certificates.getElements().isEmpty()) {
                throw new KrbException("No PKINIT Certs");
            }
            ArrayList arrayList = new ArrayList();
            Iterator it = certificates.getElements().iterator();
            while (it.hasNext()) {
                arrayList.add(((CertificateChoices) it.next()).getCertificate());
            }
            try {
                PkinitCrypto.validateChain(arrayList, x509Certificate);
                if (!PkinitCrypto.verifyKdcSan(kdcRequest.getContext().getConfig().getPkinitKdcHostName(), KrbUtil.makeTgsPrincipal(kdcRequest.getContext().getConfig().getKdcRealm()), arrayList)) {
                    LOG.error("Did not find an acceptable SAN in KDC certificate");
                }
                LOG.info("skipping EKU check");
                LOG.info("as_rep: DH key transport algorithm");
                KdcDhKeyInfo kdcDhKeyInfo = new KdcDhKeyInfo();
                try {
                    kdcDhKeyInfo.decode(signedData.getEncapContentInfo().getContent());
                    BigInteger value = ((Asn1Integer) KrbCodec.decode(kdcDhKeyInfo.getSubjectPublicKey().getValue(), Asn1Integer.class)).getValue();
                    DiffieHellmanClient dhClient = pkinitRequestContext.getDhClient();
                    EncryptionKey encryptionKey = null;
                    try {
                        dhClient.doPhase(PkinitCrypto.createDHPublicKey(dhClient.getDhParam().getP(), dhClient.getDhParam().getG(), value).getEncoded());
                        encryptionKey = dhClient.generateKey(null, null, encryptionType);
                    } catch (Exception e3) {
                        LOG.error("DiffieHellmanClient do parse failed. " + e3);
                    }
                    if (encryptionKey == null) {
                        throw new KrbException("Fail to create client key.");
                    }
                    kdcRequest.setAsKey(encryptionKey);
                } catch (IOException e4) {
                    String str = "failed to decode KdcDhKeyInfo " + e4.getMessage();
                    LOG.error(str);
                    throw new KrbException(str);
                }
            } catch (Exception e5) {
                throw new KrbException(KrbErrorCode.KDC_ERR_INVALID_CERTIFICATE, e5);
            }
        }
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public boolean tryAgain(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaDataType paDataType, PaData paData, PaData paData2) {
        PkinitRequestContext pkinitRequestContext = (PkinitRequestContext) pluginRequestContext;
        if (pkinitRequestContext.paType != paDataType && paData == null) {
            return false;
        }
        Iterator it = paData.getElements().iterator();
        while (it.hasNext()) {
            System.out.println(((PaDataEntry) it.next()).getPaDataType());
        }
        if (0 == 0) {
            return false;
        }
        generateRequest(pkinitRequestContext, kdcRequest, paData2);
        return false;
    }

    @Override // io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.AbstractPreauthPlugin, io.hops.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.preauth.KrbPreauth
    public PaFlags getFlags(PaDataType paDataType) {
        PaFlags paFlags = new PaFlags(0);
        paFlags.setFlag(PaFlag.PA_REAL);
        return paFlags;
    }

    private PaDataEntry makeEntry(PaPkAsReq paPkAsReq) throws KrbException {
        PaDataEntry paDataEntry = new PaDataEntry();
        paDataEntry.setPaDataType(PaDataType.PK_AS_REQ);
        paDataEntry.setPaDataValue(KrbCodec.encode(paPkAsReq));
        return paDataEntry;
    }
}
