package org.apache.hadoop.hdds.security.x509.certificate.authority;

import java.io.IOException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.class */
public class TestDefaultProfile {

    @Rule
    public TemporaryFolder temporaryFolder = new TemporaryFolder();
    private OzoneConfiguration configuration;
    private SecurityConfig securityConfig;
    private DefaultProfile defaultProfile;
    private MockApprover testApprover;
    private KeyPair keyPair;

    @Before
    public void setUp() throws Exception {
        this.configuration = new OzoneConfiguration();
        this.configuration.set("ozone.metadata.dirs", this.temporaryFolder.newFolder().toString());
        this.securityConfig = new SecurityConfig(this.configuration);
        this.defaultProfile = new DefaultProfile();
        this.testApprover = new MockApprover(this.defaultProfile, this.securityConfig);
        this.keyPair = new HDDSKeyGenerator(this.securityConfig).generateKey();
    }

    @Test
    public void testisSupportedGeneralName() {
        Assert.assertTrue(this.defaultProfile.isSupportedGeneralName(7));
        Assert.assertTrue(this.defaultProfile.isSupportedGeneralName(2));
        Assert.assertFalse(this.defaultProfile.isSupportedGeneralName(4));
        Assert.assertFalse(this.defaultProfile.isSupportedGeneralName(1));
        Assert.assertFalse(this.defaultProfile.isSupportedGeneralName(0));
    }

    @Test
    public void testVerifyCertificate() throws SCMSecurityException, PKCSException, OperatorCreationException {
        Assert.assertTrue(this.testApprover.verifyPkcs10Request(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setClusterID("ClusterID").setScmID("SCMID").setSubject("Ozone Cluster").setConfiguration(this.configuration).setKey(this.keyPair).build()));
    }

    @Test
    public void testVerifyCertificateInvalidKeys() throws SCMSecurityException, PKCSException, OperatorCreationException, NoSuchProviderException, NoSuchAlgorithmException {
        Assert.assertFalse(this.testApprover.verifyPkcs10Request(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setClusterID("ClusterID").setScmID("SCMID").setSubject("Ozone Cluster").setConfiguration(this.configuration).setKey(new KeyPair(this.keyPair.getPublic(), new HDDSKeyGenerator(this.securityConfig).generateKey().getPrivate())).build()));
    }

    @Test
    public void testExtensions() throws SCMSecurityException {
        Assert.assertTrue(this.testApprover.verfiyExtensions(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("192.10.234.6").setCA(false).setClusterID("ClusterID").setScmID("SCMID").setSubject("Ozone Cluster").setConfiguration(this.configuration).setKey(this.keyPair).build()));
    }

    @Test
    public void testInvalidExtensionsWithCA() throws SCMSecurityException {
        Assert.assertFalse(this.testApprover.verfiyExtensions(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("192.10.234.6").setCA(true).setClusterID("ClusterID").setScmID("SCMID").setSubject("Ozone Cluster").setConfiguration(this.configuration).setKey(this.keyPair).build()));
    }

    @Test
    public void testInvalidExtensionsWithEmail() throws IOException, OperatorCreationException {
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(1, "bilbo@apache.org", false))));
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(1, "bilbo@apache.org", true))));
    }

    @Test
    public void testInvalidExtensionsWithURI() throws IOException, OperatorCreationException {
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(6, "s3g.ozone.org", false))));
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(6, "s3g.ozone.org", false))));
    }

    @Test
    public void testInvalidExtensionsWithCriticalDNS() throws IOException, OperatorCreationException {
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(2, "ozone.hadoop.org", true))));
        Assert.assertTrue(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getSANExtension(2, "ozone.hadoop.org", false))));
    }

    @Test
    public void testValidExtendedKeyUsage() throws IOException, OperatorCreationException {
        Assert.assertTrue(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getKeyUsageExtension(KeyPurposeId.id_kp_clientAuth, false))));
        Assert.assertTrue(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getKeyUsageExtension(KeyPurposeId.id_kp_serverAuth, false))));
    }

    @Test
    public void testInValidExtendedKeyUsage() throws IOException, OperatorCreationException {
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getKeyUsageExtension(KeyPurposeId.id_kp_clientAuth, true))));
        Assert.assertFalse(this.testApprover.verfiyExtensions(getInvalidCSR(this.keyPair, getKeyUsageExtension(KeyPurposeId.id_kp_OCSPSigning, false))));
    }

    private PKCS10CertificationRequest getInvalidCSR(KeyPair keyPair, Extensions extensions) throws OperatorCreationException {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(X500Name.getDefaultStyle());
        x500NameBuilder.addRDN(BCStyle.CN, "invalidCert");
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x500NameBuilder.build(), this.keyPair.getPublic());
        jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensions);
        return jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder(this.securityConfig.getSignatureAlgo()).build(this.keyPair.getPrivate()));
    }

    private Extensions getSANExtension(int i, String str, boolean z) throws IOException {
        GeneralName generalName = new GeneralName(i, str);
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.subjectAlternativeName, z, new GeneralNames(generalName));
        return extensionsGenerator.generate();
    }

    private Extensions getKeyUsageExtension(KeyPurposeId keyPurposeId, boolean z) throws IOException {
        ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(keyPurposeId);
        ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
        extensionsGenerator.addExtension(Extension.extendedKeyUsage, z, extendedKeyUsage);
        return extensionsGenerator.generate();
    }
}
