package com.sshtools.client;

import com.sshtools.common.logger.Log;
import com.sshtools.common.policy.SignaturePolicy;
import com.sshtools.common.publickey.InvalidPassphraseException;
import com.sshtools.common.publickey.SignatureGenerator;
import com.sshtools.common.publickey.SshKeyUtils;
import com.sshtools.common.ssh.SshException;
import com.sshtools.common.ssh.components.SshKeyPair;
import com.sshtools.common.ssh.components.SshPrivateKey;
import com.sshtools.common.ssh.components.SshPublicKey;
import com.sshtools.common.ssh.components.SshRsaPublicKey;
import com.sshtools.common.ssh.components.jce.OpenSshRsaCertificate;
import com.sshtools.common.ssh.components.jce.OpenSshRsaSha256Certificate;
import com.sshtools.common.ssh.components.jce.Ssh2RsaPublicKeySHA256;
import com.sshtools.common.ssh.components.jce.Ssh2RsaPublicKeySHA512;
import com.sshtools.common.util.ByteArrayReader;
import com.sshtools.common.util.ByteArrayWriter;
import com.sshtools.common.util.Utils;
import com.sshtools.synergy.ssh.Connection;
import java.io.IOException;
import java.nio.ByteBuffer;

/* loaded from: input_file:com/sshtools/client/PublicKeyAuthenticator.class */
public abstract class PublicKeyAuthenticator extends SimpleClientAuthenticator implements ClientAuthenticator {
    public static final int SSH_MSG_USERAUTH_PK_OK = 60;
    boolean isAuthenticating = false;
    TransportProtocolClient transport;
    String username;
    SignatureGenerator signatureGenerator;
    SshPublicKey currentKey;
    String signingAlgorithm;

    private boolean setupNextKey() throws IOException, SshException {
        do {
            this.currentKey = getNextKey();
            this.signingAlgorithm = this.currentKey.getSigningAlgorithm();
            SignaturePolicy signaturePolicy = (SignaturePolicy) ((SshClientContext) this.transport.getContext()).getPolicy(SignaturePolicy.class);
            if (!signaturePolicy.getSupportedSignatures().isEmpty()) {
                if ((this.currentKey instanceof SshRsaPublicKey) && this.currentKey.getBitLength() >= 1024) {
                    if (signaturePolicy.getSupportedSignatures().contains("rsa-sha2-512")) {
                        this.signingAlgorithm = "rsa-sha2-512";
                        this.currentKey = new Ssh2RsaPublicKeySHA512(this.currentKey);
                    } else if (signaturePolicy.getSupportedSignatures().contains("rsa-sha2-256")) {
                        this.signingAlgorithm = "rsa-sha2-256";
                        this.currentKey = new Ssh2RsaPublicKeySHA256(this.currentKey);
                    } else {
                        Log.debug("Server does not support {} signature for key {}", new Object[]{this.currentKey.getSigningAlgorithm(), SshKeyUtils.getOpenSSHFormattedKey(this.currentKey)});
                    }
                    if (Log.isDebugEnabled()) {
                        Log.debug("Upgrading key {} to use {} signature", new Object[]{this.currentKey.getAlgorithm(), this.signingAlgorithm});
                    }
                } else if ((this.currentKey instanceof OpenSshRsaCertificate) && this.currentKey.getBitLength() >= 1024) {
                    if (signaturePolicy.getSupportedSignatures().contains("rsa-sha2-512")) {
                        this.signingAlgorithm = "rsa-sha2-512";
                        this.currentKey = new OpenSshRsaSha256Certificate().init(this.currentKey.getEncoded());
                    } else if (signaturePolicy.getSupportedSignatures().contains("rsa-sha2-256")) {
                        this.signingAlgorithm = "rsa-sha2-256";
                        this.currentKey = new OpenSshRsaSha256Certificate().init(this.currentKey.getEncoded());
                    } else {
                        Log.debug("Server does not support {} signature for key {}", new Object[]{this.currentKey.getSigningAlgorithm(), SshKeyUtils.getOpenSSHFormattedKey(this.currentKey)});
                    }
                    if (Log.isDebugEnabled()) {
                        Log.debug("Upgrading certificate {} to use {} signature", new Object[]{this.currentKey.getAlgorithm(), this.signingAlgorithm});
                    }
                } else if (!signaturePolicy.getSupportedSignatures().contains(this.signingAlgorithm)) {
                    Log.debug("Server does not support {} signature for key {}", new Object[]{this.currentKey.getSigningAlgorithm(), SshKeyUtils.getOpenSSHFormattedKey(this.currentKey)});
                }
            }
            if (!Log.isDebugEnabled()) {
                return true;
            }
            Log.debug("Authenticating with {}", new Object[]{SshKeyUtils.getOpenSSHFormattedKey(this.currentKey)});
            return true;
        } while (hasCredentialsRemaining());
        return false;
    }

    @Override // com.sshtools.client.ClientAuthenticator
    public void authenticate(TransportProtocolClient transportProtocolClient, String str) throws IOException, SshException {
        onStartAuthentication(transportProtocolClient.getConnection());
        this.transport = transportProtocolClient;
        this.username = str;
        if (hasCredentialsRemaining()) {
            setupNextKey();
            doPublicKeyAuth();
        } else {
            if (Log.isDebugEnabled()) {
                Log.debug("No more credentials", new Object[]{getName()});
            }
            done(false);
        }
    }

    protected void onStartAuthentication(Connection<SshClientContext> connection) {
    }

    void doPublicKeyAuth() throws SshException, IOException {
        try {
            final byte[] generateAuthenticationRequest = generateAuthenticationRequest(generateSignatureData());
            this.transport.postMessage(new AuthenticationMessage(this.username, "ssh-connection", "publickey") { // from class: com.sshtools.client.PublicKeyAuthenticator.1
                @Override // com.sshtools.client.AuthenticationMessage
                public boolean writeMessageIntoBuffer(ByteBuffer byteBuffer) {
                    super.writeMessageIntoBuffer(byteBuffer);
                    byteBuffer.put(generateAuthenticationRequest);
                    return true;
                }
            });
        } catch (IOException e) {
            Log.error("Public key operation failed", e, new Object[0]);
            failure();
        } catch (InvalidPassphraseException e2) {
            Log.error("Public key operation failed", e2, new Object[0]);
            failure();
        } catch (SshException e3) {
            Log.error("Public key operation failed", e3, new Object[0]);
            failure();
        }
    }

    byte[] generateSignatureData() throws IOException, SshException, InvalidPassphraseException {
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            byteArrayWriter.writeBinaryString(this.transport.getSessionKey());
            byteArrayWriter.write(50);
            byteArrayWriter.writeString(this.username);
            byteArrayWriter.writeString("ssh-connection");
            byteArrayWriter.writeString("publickey");
            byteArrayWriter.writeBoolean(this.isAuthenticating);
            writePublicKey(byteArrayWriter, this.currentKey);
            byte[] byteArray = byteArrayWriter.toByteArray();
            byteArrayWriter.close();
            return byteArray;
        } catch (Throwable th) {
            try {
                byteArrayWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected abstract SshPublicKey getNextKey() throws IOException;

    protected abstract SshKeyPair getAuthenticatingKey() throws IOException, InvalidPassphraseException;

    protected abstract boolean hasCredentialsRemaining();

    private void writePublicKey(ByteArrayWriter byteArrayWriter, SshPublicKey sshPublicKey) throws IOException, SshException {
        byteArrayWriter.writeString(sshPublicKey.getAlgorithm());
        byteArrayWriter.writeBinaryString(sshPublicKey.getEncoded());
    }

    byte[] generateAuthenticationRequest(byte[] bArr) throws IOException, SshException, InvalidPassphraseException {
        ByteArrayWriter byteArrayWriter = new ByteArrayWriter();
        try {
            byteArrayWriter.writeBoolean(this.isAuthenticating);
            if (!this.isAuthenticating && Log.isDebugEnabled()) {
                Log.debug("Verifying key {}", new Object[]{this.currentKey.getAlgorithm()});
                Log.debug("Encoded key{}{}", new Object[]{System.lineSeparator(), Utils.bytesToHex(this.currentKey.getEncoded(), 32, true, true)});
            }
            writePublicKey(byteArrayWriter, this.currentKey);
            if (this.isAuthenticating) {
                if (Log.isDebugEnabled()) {
                    Log.debug("Signing authentication request with {}", new Object[]{this.signingAlgorithm});
                }
                byteArrayWriter.writeBinaryString(getSignatureGenerator().sign(this.currentKey, this.signingAlgorithm, bArr));
            }
            byte[] byteArray = byteArrayWriter.toByteArray();
            byteArrayWriter.close();
            return byteArray;
        } catch (Throwable th) {
            byteArrayWriter.close();
            throw th;
        }
    }

    protected SignatureGenerator getSignatureGenerator() throws IOException, InvalidPassphraseException {
        return getAuthenticatingKey();
    }

    @Override // com.sshtools.client.SimpleClientAuthenticator, com.sshtools.client.ClientAuthenticator
    public boolean processMessage(ByteArrayReader byteArrayReader) throws IOException, SshException {
        switch (byteArrayReader.read()) {
            case 51:
                if (hasCredentialsRemaining()) {
                    setupNextKey();
                    this.isAuthenticating = false;
                    doPublicKeyAuth();
                    return true;
                }
                if (Log.isDebugEnabled()) {
                    Log.debug("No more credentials", new Object[]{getName()});
                }
                done(false);
                return false;
            case 60:
                if (Log.isDebugEnabled()) {
                    Log.debug("Received SSH_MSG_USERAUTH_PK_OK", new Object[0]);
                    Log.debug("Server accepts {} {}", new Object[]{this.currentKey.getAlgorithm(), SshKeyUtils.getFingerprint(this.currentKey)});
                }
                this.isAuthenticating = true;
                try {
                    doPublicKeyAuth();
                    return true;
                } catch (SshException | IOException e) {
                    Log.error("Public key operation failed", e, new Object[0]);
                    failure();
                    return true;
                }
            default:
                return false;
        }
    }

    public byte[] sign(SshPrivateKey sshPrivateKey, String str, byte[] bArr) throws SshException {
        try {
            return sshPrivateKey.sign(bArr, str);
        } catch (IOException e) {
            throw new SshException(e);
        }
    }

    @Override // com.sshtools.client.ClientAuthenticator
    public String getName() {
        return "publickey";
    }
}
