package io.jenkins.cli.shaded.org.apache.sshd.client.auth.pubkey;

import io.jenkins.cli.shaded.org.apache.sshd.client.auth.AbstractUserAuth;
import io.jenkins.cli.shaded.org.apache.sshd.client.auth.keyboard.UserInteraction;
import io.jenkins.cli.shaded.org.apache.sshd.client.session.ClientSession;
import io.jenkins.cli.shaded.org.apache.sshd.common.AttributeRepository;
import io.jenkins.cli.shaded.org.apache.sshd.common.NamedFactory;
import io.jenkins.cli.shaded.org.apache.sshd.common.RuntimeSshException;
import io.jenkins.cli.shaded.org.apache.sshd.common.SshConstants;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.KeyUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.config.keys.OpenSshCertificate;
import io.jenkins.cli.shaded.org.apache.sshd.common.kex.extension.DefaultClientKexExtensionHandler;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.Signature;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesHolder;
import io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesManager;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.GenericUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.ValidateUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.Buffer;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.BufferUtils;
import io.jenkins.cli.shaded.org.apache.sshd.common.util.buffer.ByteArrayBuffer;
import java.io.Closeable;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.Deque;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;

/* loaded from: input_file:WEB-INF/lib/cli-2.457.jar:io/jenkins/cli/shaded/org/apache/sshd/client/auth/pubkey/UserAuthPublicKey.class */
public class UserAuthPublicKey extends AbstractUserAuth implements SignatureFactoriesManager {
    public static final String NAME = "publickey";
    public static final AttributeRepository.AttributeKey<Boolean> USE_DEFAULT_IDENTITIES = new AttributeRepository.AttributeKey<>();
    public static final AttributeRepository.AttributeKey<String> IDENTITY_AGENT = new AttributeRepository.AttributeKey<>();
    protected final Deque<String> currentAlgorithms;
    protected Iterator<PublicKeyIdentity> keys;
    protected PublicKeyIdentity current;
    protected List<NamedFactory<Signature>> factories;
    protected String chosenAlgorithm;

    public UserAuthPublicKey() {
        this(null);
    }

    public UserAuthPublicKey(List<NamedFactory<Signature>> list) {
        super("publickey");
        this.currentAlgorithms = new LinkedList();
        this.factories = list;
        setCancellable(true);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesHolder
    public List<NamedFactory<Signature>> getSignatureFactories() {
        return this.factories;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.common.signature.SignatureFactoriesManager
    public void setSignatureFactories(List<NamedFactory<Signature>> list) {
        this.factories = list;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.AbstractUserAuth, io.jenkins.cli.shaded.org.apache.sshd.client.auth.UserAuth
    public void init(ClientSession clientSession, String str) throws Exception {
        super.init(clientSession, str);
        releaseKeys();
        try {
            this.keys = createPublicKeyIterator(clientSession, this);
        } catch (Error e) {
            warn("init({})[{}] failed ({}) to initialize session keys: {}", clientSession, str, e.getClass().getSimpleName(), e.getMessage(), e);
            throw new RuntimeSshException(e);
        }
    }

    protected Iterator<PublicKeyIdentity> createPublicKeyIterator(ClientSession clientSession, SignatureFactoriesManager signatureFactoriesManager) throws Exception {
        return new UserAuthPublicKeyIterator(clientSession, signatureFactoriesManager);
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.AbstractUserAuth
    protected boolean sendAuthDataRequest(ClientSession clientSession, String str) throws Exception {
        Set set;
        KeyPair keyIdentity;
        PublicKey publicKey;
        boolean isDebugEnabled = this.log.isDebugEnabled();
        String str2 = null;
        if (this.current == null) {
            this.currentAlgorithms.clear();
            this.chosenAlgorithm = null;
        } else if (!this.currentAlgorithms.isEmpty()) {
            str2 = this.currentAlgorithms.poll();
            if (this.chosenAlgorithm != null && (set = (Set) clientSession.getAttribute(DefaultClientKexExtensionHandler.SERVER_ALGORITHMS)) != null && set.contains(this.chosenAlgorithm)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("sendAuthDataRequest({})[{}] server rejected publickey authentication with known signature algorithm {}", clientSession, str, this.chosenAlgorithm);
                }
                str2 = null;
            }
        }
        PublicKeyAuthenticationReporter publicKeyAuthenticationReporter = clientSession.getPublicKeyAuthenticationReporter();
        do {
            if (str2 == null) {
                try {
                    this.current = resolveAttemptedPublicKeyIdentity(clientSession, str, publicKeyAuthenticationReporter);
                    this.currentAlgorithms.clear();
                    this.chosenAlgorithm = null;
                    if (this.current == null) {
                        if (isDebugEnabled) {
                            this.log.debug("resolveAttemptedPublicKeyIdentity({})[{}] no more keys to send", clientSession, str);
                        }
                        if (publicKeyAuthenticationReporter == null) {
                            return false;
                        }
                        publicKeyAuthenticationReporter.signalAuthenticationExhausted(clientSession, str);
                        return false;
                    }
                } catch (Error e) {
                    warn("sendAuthDataRequest({})[{}] failed ({}) to get next key: {}", clientSession, str, e.getClass().getSimpleName(), e.getMessage(), e);
                    throw new RuntimeSshException(e);
                }
            }
            if (this.log.isTraceEnabled()) {
                this.log.trace("sendAuthDataRequest({})[{}] current key details: {}", clientSession, str, this.current);
            }
            try {
                keyIdentity = this.current.getKeyIdentity();
                publicKey = keyIdentity.getPublic();
                if (str2 == null) {
                    String keyType = KeyUtils.getKeyType(publicKey);
                    TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
                    treeSet.addAll(KeyUtils.getAllEquivalentKeyTypes(keyType));
                    treeSet.add(keyType);
                    List<NamedFactory<Signature>> list = null;
                    if (this.current instanceof SignatureFactoriesHolder) {
                        list = ((SignatureFactoriesHolder) this.current).getSignatureFactories();
                    }
                    if (GenericUtils.isEmpty((Collection<?>) list)) {
                        list = getSignatureFactories();
                    }
                    if (GenericUtils.isEmpty((Collection<?>) list)) {
                        list = clientSession.getSignatureFactories();
                    }
                    if (list != null) {
                        list.forEach(namedFactory -> {
                            if (treeSet.contains(namedFactory.getName())) {
                                this.currentAlgorithms.add(namedFactory.getName());
                            }
                        });
                    }
                    str2 = this.currentAlgorithms.poll();
                    if (GenericUtils.isEmpty(str2)) {
                        str2 = getDefaultSignatureAlgorithm(clientSession, str, this.current, keyIdentity, keyType);
                        if (GenericUtils.isEmpty(str2)) {
                            str2 = null;
                            if (isDebugEnabled) {
                                this.log.debug("sendAuthDataRequest({})[{}] skipping {} key {}; no signature algorithm", clientSession, str, keyType, KeyUtils.getFingerPrint(publicKey));
                            }
                            if (publicKeyAuthenticationReporter != null) {
                                publicKeyAuthenticationReporter.signalIdentitySkipped(clientSession, str, keyIdentity);
                            }
                        }
                    }
                }
            } catch (Error e2) {
                warn("sendAuthDataRequest({})[{}] failed ({}) to retrieve key identity: {}", clientSession, str, e2.getClass().getSimpleName(), e2.getMessage(), e2);
                throw new RuntimeSshException(e2);
            }
        } while (str2 == null);
        String name = getName();
        Integer num = (Integer) clientSession.getAttribute(DefaultClientKexExtensionHandler.HOSTBOUND_AUTHENTICATION);
        boolean z = num != null && num.intValue() == 0;
        if (z) {
            name = "publickey-hostbound-v00@openssh.com";
        }
        if (isDebugEnabled) {
            this.log.debug("sendAuthDataRequest({})[{}] send SSH_MSG_USERAUTH_REQUEST request {} type={} - fingerprint={}", clientSession, str, name, str2, KeyUtils.getFingerPrint(publicKey));
        }
        if (publicKeyAuthenticationReporter != null) {
            publicKeyAuthenticationReporter.signalAuthenticationAttempt(clientSession, str, keyIdentity, str2);
        }
        this.chosenAlgorithm = str2;
        Buffer createBuffer = clientSession.createBuffer((byte) 50);
        createBuffer.putString(clientSession.getUsername());
        createBuffer.putString(str);
        createBuffer.putString(name);
        createBuffer.putBoolean(false);
        createBuffer.putString(str2);
        createBuffer.putPublicKey(publicKey);
        if (z) {
            createBuffer.putPublicKey(clientSession.getServerKey());
        }
        setCancellable(true);
        clientSession.writePacket(createBuffer);
        return true;
    }

    protected PublicKeyIdentity resolveAttemptedPublicKeyIdentity(ClientSession clientSession, String str) throws Exception {
        return resolveAttemptedPublicKeyIdentity(clientSession, str, null);
    }

    protected PublicKeyIdentity resolveAttemptedPublicKeyIdentity(ClientSession clientSession, String str, PublicKeyAuthenticationReporter publicKeyAuthenticationReporter) throws Exception {
        KeyPair resolveAuthPublicKeyIdentityAttempt;
        if (this.keys != null) {
            while (this.keys.hasNext()) {
                PublicKeyIdentity next = this.keys.next();
                KeyPair keyIdentity = next.getKeyIdentity();
                PublicKey publicKey = keyIdentity.getPublic();
                if (publicKey instanceof OpenSshCertificate) {
                    OpenSshCertificate openSshCertificate = (OpenSshCertificate) publicKey;
                    if (!OpenSshCertificate.Type.USER.equals(openSshCertificate.getType())) {
                        this.log.warn("resolveAttemptedPublicKeyIdentity({})[{}]: public key certificate {} {} (id={}) is not a user certificate", clientSession, str, KeyUtils.getKeyType(openSshCertificate), KeyUtils.getFingerPrint(openSshCertificate), openSshCertificate.getId());
                        if (publicKeyAuthenticationReporter != null) {
                            publicKeyAuthenticationReporter.signalIdentitySkipped(clientSession, str, keyIdentity);
                        }
                    } else if (!OpenSshCertificate.isValidNow(openSshCertificate)) {
                        this.log.warn("resolveAttemptedPublicKeyIdentity({})[{}]: public key certificate {} {} (id={}) is not valid now", clientSession, str, KeyUtils.getKeyType(openSshCertificate), KeyUtils.getFingerPrint(openSshCertificate), openSshCertificate.getId());
                        if (publicKeyAuthenticationReporter != null) {
                            publicKeyAuthenticationReporter.signalIdentitySkipped(clientSession, str, keyIdentity);
                        }
                    }
                }
                return next;
            }
        }
        UserInteraction userInteraction = clientSession.getUserInteraction();
        if (userInteraction == null || !userInteraction.isInteractionAllowed(clientSession) || (resolveAuthPublicKeyIdentityAttempt = userInteraction.resolveAuthPublicKeyIdentityAttempt(clientSession)) == null) {
            return null;
        }
        return new KeyPairIdentity(this, clientSession, resolveAuthPublicKeyIdentityAttempt);
    }

    protected String getDefaultSignatureAlgorithm(ClientSession clientSession, String str, PublicKeyIdentity publicKeyIdentity, KeyPair keyPair, String str2) throws Exception {
        return null;
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.AbstractUserAuth
    protected boolean processAuthDataRequest(ClientSession clientSession, String str, Buffer buffer) throws Exception {
        String name = getName();
        PublicKey publicKey = null;
        Integer num = (Integer) clientSession.getAttribute(DefaultClientKexExtensionHandler.HOSTBOUND_AUTHENTICATION);
        if (num != null && num.intValue() == 0) {
            name = "publickey-hostbound-v00@openssh.com";
            publicKey = clientSession.getServerKey();
        }
        int uByte = buffer.getUByte();
        if (uByte != 60) {
            throw new IllegalStateException("processAuthDataRequest(" + clientSession + ")[" + str + "][" + name + "] received unknown packet: cmd=" + SshConstants.getCommandMessageName(uByte));
        }
        boolean isDebugEnabled = this.log.isDebugEnabled();
        try {
            KeyPair keyIdentity = this.current.getKeyIdentity();
            PublicKey publicKey2 = keyIdentity.getPublic();
            String string = buffer.getString();
            PublicKey publicKey3 = buffer.getPublicKey();
            if (isDebugEnabled) {
                this.log.debug("processAuthDataRequest({})[{}][{}] SSH_MSG_USERAUTH_PK_OK type={}, fingerprint={}", clientSession, str, name, string, KeyUtils.getFingerPrint(publicKey3));
            }
            if (!KeyUtils.compareKeys(publicKey3, publicKey2)) {
                throw new InvalidKeySpecException("processAuthDataRequest(" + clientSession + ")[" + str + "][" + name + "] mismatched " + string + " keys: expected=" + KeyUtils.getFingerPrint(publicKey2) + ", actual=" + KeyUtils.getFingerPrint(publicKey3));
            }
            if (!this.chosenAlgorithm.equalsIgnoreCase(string)) {
                this.log.warn("processAuthDataRequest({})[{}][{}] sent algorithm {} but got back {} from {}", clientSession, str, name, this.chosenAlgorithm, string, clientSession.getServerVersion());
            }
            String username = clientSession.getUsername();
            String str2 = this.chosenAlgorithm;
            Buffer createBuffer = clientSession.createBuffer((byte) 50, GenericUtils.length(username) + GenericUtils.length(str) + GenericUtils.length(name) + GenericUtils.length(str2) + 256 + 64);
            createBuffer.putString(username);
            createBuffer.putString(str);
            createBuffer.putString(name);
            createBuffer.putBoolean(true);
            createBuffer.putString(str2);
            createBuffer.putPublicKey(publicKey2);
            if (publicKey != null) {
                createBuffer.putPublicKey(publicKey);
            }
            if (isDebugEnabled) {
                this.log.debug("processAuthDataRequest({})[{}][{}]: signing with algorithm {}", clientSession, str, name, str2);
            }
            byte[] appendSignature = appendSignature(clientSession, str, name, username, str2, publicKey2, publicKey, createBuffer);
            PublicKeyAuthenticationReporter publicKeyAuthenticationReporter = clientSession.getPublicKeyAuthenticationReporter();
            if (publicKeyAuthenticationReporter != null) {
                publicKeyAuthenticationReporter.signalSignatureAttempt(clientSession, str, keyIdentity, str2, appendSignature);
            }
            setCancellable(false);
            clientSession.writePacket(createBuffer);
            return true;
        } catch (Error e) {
            warn("processAuthDataRequest({})[{}][{}] failed ({}) to retrieve key identity: {}", clientSession, str, name, e.getClass().getSimpleName(), e.getMessage(), e);
            throw new RuntimeSshException(e);
        }
    }

    protected byte[] appendSignature(ClientSession clientSession, String str, String str2, String str3, String str4, PublicKey publicKey, PublicKey publicKey2, Buffer buffer) throws Exception {
        byte[] sessionId = clientSession.getSessionId();
        ByteArrayBuffer byteArrayBuffer = new ByteArrayBuffer(sessionId.length + str3.length() + str.length() + str2.length() + str4.length() + 256 + 64, false);
        byteArrayBuffer.putBytes(sessionId);
        byteArrayBuffer.putByte((byte) 50);
        byteArrayBuffer.putString(str3);
        byteArrayBuffer.putString(str);
        byteArrayBuffer.putString(str2);
        byteArrayBuffer.putBoolean(true);
        byteArrayBuffer.putString(str4);
        byteArrayBuffer.putPublicKey(publicKey);
        if (publicKey2 != null) {
            byteArrayBuffer.putPublicKey(publicKey2);
        }
        byte[] compactData = byteArrayBuffer.getCompactData();
        try {
            Map.Entry<String, byte[]> sign = this.current.sign(clientSession, str4, compactData);
            String key = sign.getKey();
            ValidateUtils.checkState(str4.equalsIgnoreCase(key), "Mismatched signature type generated: requested=%s, used=%s", str4, key);
            byte[] value = sign.getValue();
            String signatureAlgorithm = KeyUtils.getSignatureAlgorithm(str4, publicKey);
            if (this.log.isTraceEnabled()) {
                this.log.trace("appendSignature({})[{}] name={}, key type={}, fingerprint={} - verification data={}", clientSession, str, str2, signatureAlgorithm, KeyUtils.getFingerPrint(publicKey), BufferUtils.toHex(compactData));
                this.log.trace("appendSignature({})[{}] name={}, key type={}, fingerprint={} - generated signature={}", clientSession, str, str2, signatureAlgorithm, KeyUtils.getFingerPrint(publicKey), BufferUtils.toHex(value));
            }
            byteArrayBuffer.clear();
            byteArrayBuffer.putString(signatureAlgorithm);
            byteArrayBuffer.putBytes(value);
            buffer.putBytes(byteArrayBuffer.array(), byteArrayBuffer.rpos(), byteArrayBuffer.available());
            return value;
        } catch (Error e) {
            warn("appendSignature({})[{}][{}] failed ({}) to sign contents using {}: {}", clientSession, str, str2, e.getClass().getSimpleName(), str4, e.getMessage(), e);
            throw new RuntimeSshException(e);
        }
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.UserAuth
    public void signalAuthMethodSuccess(ClientSession clientSession, String str, Buffer buffer) throws Exception {
        PublicKeyAuthenticationReporter publicKeyAuthenticationReporter = clientSession.getPublicKeyAuthenticationReporter();
        if (publicKeyAuthenticationReporter != null) {
            publicKeyAuthenticationReporter.signalAuthenticationSuccess(clientSession, str, this.current == null ? null : this.current.getKeyIdentity());
        }
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.UserAuth
    public void signalAuthMethodFailure(ClientSession clientSession, String str, boolean z, List<String> list, Buffer buffer) throws Exception {
        PublicKeyAuthenticationReporter publicKeyAuthenticationReporter = clientSession.getPublicKeyAuthenticationReporter();
        if (publicKeyAuthenticationReporter != null) {
            publicKeyAuthenticationReporter.signalAuthenticationFailure(clientSession, str, this.current == null ? null : this.current.getKeyIdentity(), z, list);
        }
    }

    @Override // io.jenkins.cli.shaded.org.apache.sshd.client.auth.AbstractUserAuth, io.jenkins.cli.shaded.org.apache.sshd.client.auth.UserAuth
    public void destroy() {
        try {
            releaseKeys();
            super.destroy();
        } catch (IOException e) {
            throw new UncheckedIOException("Failed (" + e.getClass().getSimpleName() + ") to close agent: " + e.getMessage(), e);
        }
    }

    protected void releaseKeys() throws IOException {
        this.currentAlgorithms.clear();
        this.current = null;
        this.chosenAlgorithm = null;
        try {
            if (this.keys instanceof Closeable) {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("releaseKeys({}) closing {}", getClientSession(), this.keys);
                }
                ((Closeable) this.keys).close();
            }
        } finally {
            this.keys = null;
        }
    }
}
