package org.apache.geode.security.templates;

import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import org.apache.geode.LogWriter;
import org.apache.geode.distributed.DistributedMember;
import org.apache.geode.logging.internal.log4j.api.LogService;
import org.apache.geode.security.AuthenticationFailedException;
import org.apache.geode.security.Authenticator;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/geode/security/templates/PKCSAuthenticator.class */
public class PKCSAuthenticator implements Authenticator {
    private static final Logger logger = LogService.getLogger();
    public static final String PUBLIC_KEY_FILE = "security-publickey-filepath";
    public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass";
    private String pubKeyFilePath;
    private String pubKeyPass;
    private Map aliasCertificateMap;
    private LogWriter systemLogWriter;
    private LogWriter securityLogWriter;

    public static Authenticator create() {
        return new PKCSAuthenticator();
    }

    public void init(Properties properties, LogWriter logWriter, LogWriter logWriter2) throws AuthenticationFailedException {
        this.systemLogWriter = logWriter;
        this.securityLogWriter = logWriter2;
        this.pubKeyFilePath = properties.getProperty(PUBLIC_KEY_FILE);
        if (this.pubKeyFilePath == null) {
            throw new AuthenticationFailedException("PKCSAuthenticator: property security-publickey-filepath not specified as the public key file.");
        }
        this.pubKeyPass = properties.getProperty(PUBLIC_KEYSTORE_PASSWORD);
        this.aliasCertificateMap = new HashMap();
        populateMap();
    }

    public Principal authenticate(Properties properties, DistributedMember distributedMember) throws AuthenticationFailedException {
        String str = (String) properties.get(PKCSAuthInit.KEYSTORE_ALIAS);
        if (str == null || str.length() <= 0) {
            throw new AuthenticationFailedException("No alias received");
        }
        try {
            X509Certificate certificate = getCertificate(str);
            if (certificate == null) {
                throw newException("No certificate found for alias:" + str);
            }
            byte[] bArr = (byte[]) properties.get(PKCSAuthInit.SIGNATURE_DATA);
            if (bArr == null) {
                throw newException("signature data property [security-signature] not provided");
            }
            Signature signature = Signature.getInstance(certificate.getSigAlgName());
            signature.initVerify(certificate);
            signature.update(str.getBytes("UTF-8"));
            if (signature.verify(bArr)) {
                return new PKCSPrincipal(str);
            }
            throw newException("verification of client signature failed");
        } catch (Exception e) {
            throw newException(e.toString(), e);
        }
    }

    public void close() {
    }

    private void populateMap() {
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            char[] charArray = this.pubKeyPass != null ? this.pubKeyPass.toCharArray() : null;
            FileInputStream fileInputStream = new FileInputStream(this.pubKeyFilePath);
            try {
                keyStore.load(fileInputStream, charArray);
                fileInputStream.close();
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        this.aliasCertificateMap.put(nextElement, certificate);
                    }
                }
            } catch (Throwable th) {
                fileInputStream.close();
                throw th;
            }
        } catch (Exception e) {
            throw new AuthenticationFailedException("Exception while getting public keys: " + e.getMessage(), e);
        }
    }

    private AuthenticationFailedException newException(String str, Exception exc) {
        String str2 = "PKCSAuthenticator: Authentication of client failed due to: " + str;
        return exc != null ? new AuthenticationFailedException(str2, exc) : new AuthenticationFailedException(str2);
    }

    private AuthenticationFailedException newException(String str) {
        return newException(str, null);
    }

    private X509Certificate getCertificate(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (this.aliasCertificateMap.containsKey(str)) {
            return (X509Certificate) this.aliasCertificateMap.get(str);
        }
        return null;
    }
}
