package org.apache.cxf.systest.hc5.https.trust;

import java.io.Closeable;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.xml.ws.BindingProvider;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.transport.https.InsecureTrustManager;
import org.apache.hello_world.services.SOAPService;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/cxf/systest/hc5/https/trust/TrustManagerTest.class */
public class TrustManagerTest extends AbstractBusClientServerTestBase {
    static final String PORT = allocatePort(TrustServer.class);
    static final String PORT2 = allocatePort(TrustServer.class, 2);
    static final String PORT3 = allocatePort(TrustServer.class, 3);
    private final Boolean async;

    /* loaded from: input_file:org/apache/cxf/systest/hc5/https/trust/TrustManagerTest$ServerCertX509TrustManager.class */
    public static class ServerCertX509TrustManager implements X509TrustManager {
        private String requiredServerPrincipalName;

        public ServerCertX509TrustManager(String str) {
            this.requiredServerPrincipalName = str;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                throw new CertificateException("X509 Certificate chain is empty");
            }
            X509Certificate x509Certificate = x509CertificateArr[0];
            if (this.requiredServerPrincipalName != null && !this.requiredServerPrincipalName.equals(x509Certificate.getSubjectX500Principal().getName())) {
                throw new CertificateException("X509 server certificate does not match requirement");
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    }

    public TrustManagerTest(Boolean bool) {
        this.async = bool;
    }

    @BeforeClass
    public static void startServers() throws Exception {
        Assert.assertTrue("Server failed to launch", launchServer(TrustServer.class, true));
        Assert.assertTrue("Server failed to launch", launchServer(TrustServerNoSpring.class, true));
    }

    @Parameterized.Parameters(name = "{0}")
    public static Collection<Boolean> data() {
        return Arrays.asList(Boolean.FALSE, Boolean.TRUE);
    }

    @AfterClass
    public static void cleanup() throws Exception {
        stopAllServers();
    }

    @Test
    public void testNoOpX509TrustManager() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        TLSClientParameters tLSClientParameters = new TLSClientParameters();
        tLSClientParameters.setTrustManagers(InsecureTrustManager.getNoOpX509TrustManagers());
        tLSClientParameters.setDisableCNCheck(true);
        ClientProxy.getClient(httpsPort).getConduit().setTlsClientParameters(tLSClientParameters);
        Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
        ((Closeable) httpsPort).close();
        createBus.shutdown(true);
    }

    @Test
    public void testNoOpX509TrustManagerTrustManagersRef() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust-manager-ref.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
        ((Closeable) httpsPort).close();
        createBus.shutdown(true);
    }

    @Test
    public void testValidServerCertX509TrustManager() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        TLSClientParameters tLSClientParameters = new TLSClientParameters();
        tLSClientParameters.setTrustManagers(new TrustManager[]{new ServerCertX509TrustManager("CN=Bethal,OU=Bethal,O=ApacheTest,L=Syracuse,C=US")});
        tLSClientParameters.setDisableCNCheck(true);
        ClientProxy.getClient(httpsPort).getConduit().setTlsClientParameters(tLSClientParameters);
        Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
        ((Closeable) httpsPort).close();
        createBus.shutdown(true);
    }

    @Test
    public void testSystemPropertiesWithEmptyTLSClientParametersConfig() throws Exception {
        try {
            System.setProperty("javax.net.ssl.trustStore", "keys/Bethal.jks");
            System.setProperty("javax.net.ssl.trustStorePassword", "password");
            System.setProperty("javax.net.ssl.trustStoreType", "JKS");
            Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust-config.xml").toString());
            BusFactory.setDefaultBus(createBus);
            BusFactory.setThreadDefaultBus(createBus);
            SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
            Assert.assertNotNull("Service is null", sOAPService);
            BindingProvider httpsPort = sOAPService.getHttpsPort();
            Assert.assertNotNull("Port is null", httpsPort);
            updateAddressPort(httpsPort, PORT);
            if (this.async.booleanValue()) {
                httpsPort.getRequestContext().put("use.async.http.conduit", true);
            }
            Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
            ((Closeable) httpsPort).close();
            createBus.shutdown(true);
            System.clearProperty("javax.net.ssl.trustStore");
            System.clearProperty("javax.net.ssl.trustStorePassword");
            System.clearProperty("javax.net.ssl.trustStoreType");
        } catch (Throwable th) {
            System.clearProperty("javax.net.ssl.trustStore");
            System.clearProperty("javax.net.ssl.trustStorePassword");
            System.clearProperty("javax.net.ssl.trustStoreType");
            throw th;
        }
    }

    @Test
    public void testSystemPropertiesWithEmptyKeystoreConfig() throws Exception {
        try {
            System.setProperty("javax.net.ssl.trustStore", "keys/Bethal.jks");
            System.setProperty("javax.net.ssl.trustStorePassword", "password");
            System.setProperty("javax.net.ssl.trustStoreType", "JKS");
            Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust-empty-config.xml").toString());
            BusFactory.setDefaultBus(createBus);
            BusFactory.setThreadDefaultBus(createBus);
            SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
            Assert.assertNotNull("Service is null", sOAPService);
            BindingProvider httpsPort = sOAPService.getHttpsPort();
            Assert.assertNotNull("Port is null", httpsPort);
            updateAddressPort(httpsPort, PORT);
            if (this.async.booleanValue()) {
                httpsPort.getRequestContext().put("use.async.http.conduit", true);
            }
            Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
            ((Closeable) httpsPort).close();
            createBus.shutdown(true);
            System.clearProperty("javax.net.ssl.trustStore");
            System.clearProperty("javax.net.ssl.trustStorePassword");
            System.clearProperty("javax.net.ssl.trustStoreType");
        } catch (Throwable th) {
            System.clearProperty("javax.net.ssl.trustStore");
            System.clearProperty("javax.net.ssl.trustStorePassword");
            System.clearProperty("javax.net.ssl.trustStoreType");
            throw th;
        }
    }

    @Test
    public void testValidServerCertX509TrustManager2() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT3);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        TLSClientParameters tLSClientParameters = new TLSClientParameters();
        tLSClientParameters.setTrustManagers(new TrustManager[]{new ServerCertX509TrustManager("CN=Bethal,OU=Bethal,O=ApacheTest,L=Syracuse,C=US")});
        tLSClientParameters.setDisableCNCheck(true);
        ClientProxy.getClient(httpsPort).getConduit().setTlsClientParameters(tLSClientParameters);
        Assert.assertEquals(httpsPort.greetMe("Kitty"), "Hello Kitty");
        ((Closeable) httpsPort).close();
        createBus.shutdown(true);
    }

    @Test
    public void testInvalidServerCertX509TrustManager() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        TLSClientParameters tLSClientParameters = new TLSClientParameters();
        tLSClientParameters.setTrustManagers(new TrustManager[]{new ServerCertX509TrustManager("CN=Bethal2,OU=Bethal,O=ApacheTest,L=Syracuse,C=US")});
        tLSClientParameters.setDisableCNCheck(true);
        ClientProxy.getClient(httpsPort).getConduit().setTlsClientParameters(tLSClientParameters);
        try {
            httpsPort.greetMe("Kitty");
            Assert.fail("Failure expected on an invalid principal name");
        } catch (Exception e) {
        }
        ((Closeable) httpsPort).close();
        createBus.shutdown(true);
    }

    @Test
    public void testOSCPOverride() throws Exception {
        Bus createBus = new SpringBusFactory().createBus(TrustManagerTest.class.getResource("client-trust.xml").toString());
        BusFactory.setDefaultBus(createBus);
        BusFactory.setThreadDefaultBus(createBus);
        SOAPService sOAPService = new SOAPService(SOAPService.WSDL_LOCATION, SOAPService.SERVICE);
        Assert.assertNotNull("Service is null", sOAPService);
        BindingProvider httpsPort = sOAPService.getHttpsPort();
        Assert.assertNotNull("Port is null", httpsPort);
        updateAddressPort(httpsPort, PORT2);
        if (this.async.booleanValue()) {
            httpsPort.getRequestContext().put("use.async.http.conduit", true);
        }
        KeyStore keyStore = KeyStore.getInstance("JKS");
        InputStream resourceAsStream = ClassLoaderUtils.getResourceAsStream("keys/cxfca.jks", TrustManagerTest.class);
        try {
            keyStore.load(resourceAsStream, "password".toCharArray());
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
            try {
                Security.setProperty("ocsp.enable", "true");
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, new X509CertSelector());
                pKIXBuilderParameters.setRevocationEnabled(true);
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
                TLSClientParameters tLSClientParameters = new TLSClientParameters();
                tLSClientParameters.setTrustManagers(trustManagerFactory.getTrustManagers());
                tLSClientParameters.setDisableCNCheck(true);
                ClientProxy.getClient(httpsPort).getConduit().setTlsClientParameters(tLSClientParameters);
                try {
                    httpsPort.greetMe("Kitty");
                    Assert.fail("Failure expected on an invalid OCSP responder URL");
                } catch (Exception e) {
                }
                ((Closeable) httpsPort).close();
                createBus.shutdown(true);
            } finally {
                Security.setProperty("ocsp.enable", "false");
            }
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
