package io.jenkins.cli.shaded.org.apache.sshd.client.kex;

import io.jenkins.cli.shaded.org.apache.sshd.client.session.AbstractClientSession;
import io.jenkins.cli.shaded.org.apache.sshd.common.NamedFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.SshException;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.OpenSshCertificate;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.AbstractDH;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.DHFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.KexProposalOption;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.KeyExchange;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.KeyExchangeFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.session.Session;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.Signature;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.GenericUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.Buffer;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.net.SshdSocketAddress;
import io.jenkins.cli.shaded.org.apache.sshd.core.CoreModuleProperties;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Objects;

/* loaded from: input_file:WEB-INF/lib/cli-2.395-rc33425.a_4447db_3d88f.jar:io/jenkins/cli/shaded/org/apache/sshd/client/kex/DHGClient.class */
public class DHGClient extends AbstractDHClientKeyExchange {
    protected final DHFactory factory;
    protected AbstractDH dh;

    protected DHGClient(DHFactory dHFactory, Session session) {
        super(session);
        this.factory = (DHFactory) Objects.requireNonNull(dHFactory, "No factory");
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource
    public final String getName() {
        return this.factory.getName();
    }

    public static KeyExchangeFactory newFactory(final DHFactory dHFactory) {
        return new KeyExchangeFactory() { // from class: io.jenkins.cli.shaded.org.apache.sshd.client.kex.DHGClient.1
            @Override // io.jenkins.cli.shaded.org.apache.sshd.common.NamedResource
            public String getName() {
                return DHFactory.this.getName();
            }

            @Override // io.jenkins.cli.shaded.org.apache.sshd.common.kex.KeyExchangeFactory
            public KeyExchange createKeyExchange(Session session) throws Exception {
                return new DHGClient(DHFactory.this, session);
            }

            public String toString() {
                return NamedFactory.class.getSimpleName() + "<" + KeyExchange.class.getSimpleName() + ">[" + getName() + "]";
            }
        };
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.kex.dh.AbstractDHKeyExchange, io.jenkins.cli.shaded.org.apache.sshd.common.kex.KeyExchange
    public void init(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) throws Exception {
        super.init(bArr, bArr2, bArr3, bArr4);
        this.dh = getDH();
        this.hash = this.dh.getHash();
        this.hash.init();
        byte[] updateE = updateE(this.dh.getE());
        Session session = getSession2();
        if (this.log.isDebugEnabled()) {
            this.log.debug("init({})[{}] Send SSH_MSG_KEXDH_INIT", this, session);
        }
        Buffer createBuffer = session.createBuffer((byte) 30, updateE.length + 32);
        this.dh.putE(createBuffer, updateE);
        session.writePacket(createBuffer);
    }

    protected AbstractDH getDH() throws Exception {
        return this.factory.create(new Object[0]);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.kex.KeyExchange
    public boolean next(int i, Buffer buffer) throws Exception {
        AbstractClientSession clientSession = getClientSession();
        if (this.log.isDebugEnabled()) {
            this.log.debug("next({})[{}] process command={}", this, clientSession, KeyExchange.getSimpleKexOpcodeName(i));
        }
        if (i != 31) {
            throw new SshException(3, "Protocol error: expected packet SSH_MSG_KEXDH_REPLY, got " + KeyExchange.getSimpleKexOpcodeName(i));
        }
        byte[] bytes = buffer.getBytes();
        byte[] updateF = updateF(buffer);
        byte[] bytes2 = buffer.getBytes();
        this.dh.setF(updateF);
        this.k = this.dh.getK();
        PublicKey rawPublicKey = new ByteArrayBuffer(bytes).getRawPublicKey();
        PublicKey publicKey = rawPublicKey;
        if (rawPublicKey instanceof OpenSshCertificate) {
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) rawPublicKey;
            publicKey = openSshCertificate.getCertPubKey();
            try {
                verifyCertificate(clientSession, openSshCertificate);
            } catch (SshException e) {
                if (CoreModuleProperties.ABORT_ON_INVALID_CERTIFICATE.getRequired(clientSession).booleanValue()) {
                    throw e;
                }
                rawPublicKey = openSshCertificate.getCertPubKey();
                this.log.info("Ignoring invalid certificate {}", openSshCertificate.getId(), e);
            }
        }
        String negotiatedKexParameter = clientSession.getNegotiatedKexParameter(KexProposalOption.SERVERKEYS);
        if (GenericUtils.isEmpty(negotiatedKexParameter)) {
            throw new SshException("Unsupported server key type: " + publicKey.getAlgorithm() + "[" + publicKey.getFormat() + "]");
        }
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer();
        byteArrayBuffer.putBytes(this.v_c);
        byteArrayBuffer.putBytes(this.v_s);
        byteArrayBuffer.putBytes(this.i_c);
        byteArrayBuffer.putBytes(this.i_s);
        byteArrayBuffer.putBytes(bytes);
        this.dh.putE(byteArrayBuffer, getE());
        this.dh.putF(byteArrayBuffer, updateF);
        byteArrayBuffer.putMPInt(this.k);
        this.hash.update(byteArrayBuffer.array(), 0, byteArrayBuffer.available());
        this.h = this.hash.digest();
        Signature signature = (Signature) ValidateUtils.checkNotNull((Signature) NamedFactory.create(clientSession.getSignatureFactories(), negotiatedKexParameter), "No verifier located for algorithm=%s", negotiatedKexParameter);
        signature.initVerifier(clientSession, publicKey);
        signature.update(clientSession, this.h);
        if (!signature.verify(clientSession, bytes2)) {
            throw new SshException(3, "KeyExchange signature verification failed for key type=" + negotiatedKexParameter);
        }
        clientSession.setServerKey(rawPublicKey);
        return true;
    }

    protected void verifyCertificate(Session session, OpenSshCertificate openSshCertificate) throws Exception {
        PublicKey caPubKey = openSshCertificate.getCaPubKey();
        String keyType = KeyUtils.getKeyType(caPubKey);
        String id = openSshCertificate.getId();
        String signatureAlgorithm = openSshCertificate.getSignatureAlgorithm();
        if (GenericUtils.isEmpty(signatureAlgorithm) || !"ssh-rsa".equals(KeyUtils.getCanonicalKeyType(signatureAlgorithm))) {
            throw new SshException(3, "Found invalid signature alg " + signatureAlgorithm + " for key ID=" + id);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("verifyCertificate({})[id={}] Allowing to use variant {} instead of {}", session, id, signatureAlgorithm, keyType);
        }
        Signature signature = (Signature) ValidateUtils.checkNotNull((Signature) NamedFactory.create(session.getSignatureFactories(), signatureAlgorithm), "No KeyExchange CA verifier located for algorithm=%s of key ID=%s", signatureAlgorithm, id);
        signature.initVerifier(session, caPubKey);
        signature.update(session, openSshCertificate.getMessage());
        if (!signature.verify(session, openSshCertificate.getSignature())) {
            throw new SshException(3, "KeyExchange CA signature verification failed for key type=" + signatureAlgorithm + " of key ID=" + id);
        }
        if (!OpenSshCertificate.Type.HOST.equals(openSshCertificate.getType())) {
            throw new SshException(3, "KeyExchange signature verification failed, not a host key (2) " + openSshCertificate.getType() + " for key ID=" + id);
        }
        if (!OpenSshCertificate.isValidNow(openSshCertificate)) {
            throw new SshException(3, "KeyExchange signature verification failed, CA expired for key ID=" + id);
        }
        SocketAddress connectAddress = getClientSession().getConnectAddress();
        if (connectAddress instanceof SshdSocketAddress) {
            connectAddress = ((SshdSocketAddress) connectAddress).toInetSocketAddress();
        }
        if (!(connectAddress instanceof InetSocketAddress)) {
            throw new SshException(3, "KeyExchange signature verification failed, could not determine connect host for key ID=" + id);
        }
        String hostString = ((InetSocketAddress) connectAddress).getHostString();
        Collection<String> principals = openSshCertificate.getPrincipals();
        if (GenericUtils.isEmpty((Collection<?>) principals) || !principals.contains(hostString)) {
            throw new SshException(3, "KeyExchange signature verification failed, invalid principal " + hostString + " for key ID=" + id + " - allowed=" + principals);
        }
        if (!GenericUtils.isEmpty((Collection<?>) openSshCertificate.getCriticalOptions())) {
            throw new SshException(3, "KeyExchange signature verification failed, unrecognized critical options " + openSshCertificate.getCriticalOptions() + " for key ID=" + id);
        }
    }
}
