package org.apache.kafka.common.security.ssl;

import java.io.File;
import java.security.KeyStore;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.test.TestSslUtils;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/SslFactoryTest.class */
public class SslFactoryTest {
    @Test
    public void testSslFactoryConfiguration() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        SSLEngine createSslEngine = sslFactory.createSslEngine("localhost", 0);
        Assert.assertNotNull(createSslEngine);
        Assert.assertArrayEquals(new String[]{"TLSv1.2"}, createSslEngine.getEnabledProtocols());
        Assert.assertEquals(false, Boolean.valueOf(createSslEngine.getUseClientMode()));
    }

    @Test
    public void testSslFactoryWithoutPasswordConfiguration() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        createSslConfig.remove("ssl.truststore.password");
        try {
            new SslFactory(Mode.SERVER).configure(createSslConfig);
        } catch (Exception e) {
            Assert.fail("An exception was thrown when configuring the truststore without a password: " + e);
        }
    }

    @Test
    public void testClientMode() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.CLIENT, File.createTempFile("truststore", ".jks"), "client");
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(createSslConfig);
        Assert.assertTrue(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
    }

    @Test
    public void testKeyStoreTrustStoreValidation() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        Assert.assertNotNull("SSL context not created", sslFactory.createSSLContext(sslKeyStore(createSslConfig), (SslFactory.SecurityStore) null));
        Assert.assertNotNull("SSL context not created", sslFactory.createSSLContext((SslFactory.SecurityStore) null, sslTrustStore(createSslConfig)));
        Assert.assertNotNull("SSL context not created", sslFactory.createSSLContext(sslKeyStore(createSslConfig), sslTrustStore(createSslConfig)));
    }

    @Test
    public void testUntrustedKeyStoreValidation() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        sslFactory.configure(createSslConfig);
        try {
            sslFactory.createSSLContext(sslKeyStore(createSslConfig2), (SslFactory.SecurityStore) null);
            Assert.fail("Validation did not fail with untrusted keystore");
        } catch (SSLHandshakeException e) {
        }
        try {
            sslFactory.createSSLContext((SslFactory.SecurityStore) null, sslTrustStore(createSslConfig2));
            Assert.fail("Validation did not fail with untrusted truststore");
        } catch (SSLHandshakeException e2) {
        }
        try {
            sslFactory.createSSLContext(sslKeyStore(createSslConfig2), sslTrustStore(createSslConfig2));
            Assert.fail("Validation did not fail with untrusted truststore");
        } catch (SSLHandshakeException e3) {
        }
    }

    @Test
    public void testCertificateEntriesValidation() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server", "Another CN");
        KeyStore load = sslKeyStore(createSslConfig).load();
        KeyStore load2 = sslKeyStore(createSslConfig).load();
        Assert.assertEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(load2));
        load2.setCertificateEntry("another", load.getCertificate("localhost"));
        Assert.assertEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(load2));
        Assert.assertNotEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(sslKeyStore(createSslConfig2).load()));
    }

    private SslFactory.SecurityStore sslKeyStore(Map<String, Object> map) {
        return new SslFactory.SecurityStore((String) map.get("ssl.keystore.type"), (String) map.get("ssl.keystore.location"), (Password) map.get("ssl.keystore.password"), (Password) map.get("ssl.key.password"));
    }

    private SslFactory.SecurityStore sslTrustStore(Map<String, Object> map) {
        return new SslFactory.SecurityStore((String) map.get("ssl.truststore.type"), (String) map.get("ssl.truststore.location"), (Password) map.get("ssl.truststore.password"), (Password) null);
    }
}
