package io.jenkins.cli.shaded.org.apache.sshd.server.auth.pubkey;

import io.jenkins.cli.shaded.org.apache.sshd.common.NamedFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource;
import io.jenkins.cli.shaded.org.apache.sshd.common.RuntimeSshException;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.OpenSshCertificate;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.Signature;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesManager;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.GenericUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.Buffer;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.BufferUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import io.jenkins.cli.shaded.org.apache.sshd.server.auth.AbstractUserAuth;
import io.jenkins.cli.shaded.org.apache.sshd.server.session.ServerSession;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.List;

/* loaded from: input_file:WEB-INF/lib/cli-2.446-rc34653.7a_0c33d71b_8e.jar:io/jenkins/cli/shaded/org/apache/sshd/server/auth/pubkey/UserAuthPublicKey.class */
public class UserAuthPublicKey extends AbstractUserAuth implements SignatureFactoriesManager {
    public static final String NAME = "publickey";
    private List<NamedFactory<Signature>> factories;

    public UserAuthPublicKey() {
        this(null);
    }

    public UserAuthPublicKey(List<NamedFactory<Signature>> list) {
        super("publickey");
        this.factories = list;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesHolder
    public List<NamedFactory<Signature>> getSignatureFactories() {
        return this.factories;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesManager
    public void setSignatureFactories(List<NamedFactory<Signature>> list) {
        this.factories = list;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.server.auth.AbstractUserAuth
    public Boolean doAuth(Buffer buffer, boolean z) throws Exception {
        ValidateUtils.checkTrue(z, "Instance not initialized");
        ServerSession serverSession = getServerSession();
        String username = getUsername();
        boolean z2 = buffer.getBoolean();
        String string = buffer.getString();
        int wpos = buffer.wpos();
        int rpos = buffer.rpos();
        int i = buffer.getInt();
        int available = buffer.available();
        if (i < 0 || i > available) {
            this.log.error("doAuth({}@{}) illogical algorithm={} signature length ({}) when remaining={}", username, serverSession, string, Integer.valueOf(i), Integer.valueOf(available));
            throw new IndexOutOfBoundsException("Illogical signature length (" + i + ") for algorithm=" + string);
        }
        buffer.wpos(buffer.rpos() + i);
        PublicKey rawPublicKey = buffer.getRawPublicKey();
        if (rawPublicKey instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) rawPublicKey;
            try {
                if (!OpenSshCertificate.Type.USER.equals(openSshCertificate.getType())) {
                    throw new CertificateException("not a user certificate");
                }
                if (!OpenSshCertificate.isValidNow(openSshCertificate)) {
                    throw new CertificateException("expired");
                }
                Collection<String> principals = openSshCertificate.getPrincipals();
                if (!GenericUtils.isEmpty((Collection<?>) principals) && !principals.contains(username)) {
                    throw new CertificateException("not valid for the given username");
                }
            } catch (CertificateException e) {
                warn("doAuth({}@{}): public key certificate (id={}) is not valid: {}", username, serverSession, openSshCertificate.getId(), e.getMessage(), e);
                throw e;
            }
        }
        Collection checkNotNullAndNotEmpty = ValidateUtils.checkNotNullAndNotEmpty(SignatureFactoriesManager.resolveSignatureFactories(this, serverSession), "No signature factories for session=%s", serverSession);
        boolean isDebugEnabled = this.log.isDebugEnabled();
        if (isDebugEnabled) {
            this.log.debug("doAuth({}@{}) verify key type={}, factories={}, fingerprint={}", username, serverSession, string, NamedResource.getNames(checkNotNullAndNotEmpty), KeyUtils.getFingerPrint(rawPublicKey));
        }
        Signature signature = (Signature) ValidateUtils.checkNotNull((Signature) NamedFactory.create(checkNotNullAndNotEmpty, string), "No verifier located for algorithm=%s", string);
        signature.initVerifier(serverSession, rawPublicKey);
        buffer.wpos(wpos);
        byte[] bytes = z2 ? buffer.getBytes() : null;
        PublickeyAuthenticator publickeyAuthenticator = serverSession.getPublickeyAuthenticator();
        if (publickeyAuthenticator == null) {
            if (isDebugEnabled) {
                this.log.debug("doAuth({}@{}) key type={}, fingerprint={} - no authenticator", username, serverSession, string, KeyUtils.getFingerPrint(rawPublicKey));
            }
            return Boolean.FALSE;
        }
        try {
            boolean authenticate = publickeyAuthenticator.authenticate(username, rawPublicKey, serverSession);
            if (isDebugEnabled) {
                this.log.debug("doAuth({}@{}) key type={}, fingerprint={} - authentication result: {}", username, serverSession, string, KeyUtils.getFingerPrint(rawPublicKey), Boolean.valueOf(authenticate));
            }
            if (!authenticate) {
                return Boolean.FALSE;
            }
            if (!z2) {
                sendPublicKeyResponse(serverSession, username, string, rawPublicKey, buffer.array(), rpos, 4 + i, buffer);
                return null;
            }
            buffer.rpos(rpos);
            buffer.wpos(rpos + 4 + i);
            if (!verifySignature(serverSession, username, string, rawPublicKey, buffer, signature, bytes)) {
                throw new SignatureException("Key verification failed");
            }
            if (isDebugEnabled) {
                this.log.debug("doAuth({}@{}) key type={}, fingerprint={} - verified", username, serverSession, string, KeyUtils.getFingerPrint(rawPublicKey));
            }
            return Boolean.TRUE;
        } catch (Error e2) {
            warn("doAuth({}@{}) failed ({}) to consult delegate for {} key={}: {}", username, serverSession, e2.getClass().getSimpleName(), string, KeyUtils.getFingerPrint(rawPublicKey), e2.getMessage(), e2);
            throw new RuntimeSshException(e2);
        }
    }

    protected boolean verifySignature(ServerSession serverSession, String str, String str2, PublicKey publicKey, Buffer buffer, Signature signature, byte[] bArr) throws Exception {
        byte[] sessionId = serverSession.getSessionId();
        String service = getService();
        String name = getName();
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer(sessionId.length + str.length() + service.length() + name.length() + str2.length() + 256 + 64, false);
        byteArrayBuffer.putBytes(sessionId);
        byteArrayBuffer.putByte((byte) 50);
        byteArrayBuffer.putString(str);
        byteArrayBuffer.putString(service);
        byteArrayBuffer.putString(name);
        byteArrayBuffer.putBoolean(true);
        byteArrayBuffer.putString(str2);
        byteArrayBuffer.putBuffer(buffer);
        if (this.log.isTraceEnabled()) {
            this.log.trace("verifySignature({}@{})[{}][{}] key type={}, fingerprint={} - verification data={}", str, serverSession, service, name, str2, KeyUtils.getFingerPrint(publicKey), byteArrayBuffer.toHex());
            this.log.trace("verifySignature({}@{})[{}][{}] key type={}, fingerprint={} - expected signature={}", str, serverSession, service, name, str2, KeyUtils.getFingerPrint(publicKey), BufferUtils.toHex(bArr));
        }
        signature.update(serverSession, byteArrayBuffer.array(), byteArrayBuffer.rpos(), byteArrayBuffer.available());
        return signature.verify(serverSession, bArr);
    }

    protected void sendPublicKeyResponse(ServerSession serverSession, String str, String str2, PublicKey publicKey, byte[] bArr, int i, int i2, Buffer buffer) throws Exception {
        if (this.log.isDebugEnabled()) {
            this.log.debug("doAuth({}@{}) send SSH_MSG_USERAUTH_PK_OK for key type={}, fingerprint={}", str, serverSession, str2, KeyUtils.getFingerPrint(publicKey));
        }
        Buffer createBuffer = serverSession.createBuffer((byte) 60, GenericUtils.length(str2) + i2 + 32);
        createBuffer.putString(str2);
        createBuffer.putRawBytes(bArr, i, i2);
        serverSession.writePacket(createBuffer);
    }
}
