package org.apache.qpid.server.ssl;

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/qpid/server/ssl/TrustManagerTest.class */
public class TrustManagerTest extends UnitTestBase {
    private static final String STORE_TYPE = "pkcs12";
    private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
    private static final String KEYSTORE_PASSWORD = "password";
    private static final String PEER_STORE = "ssl/java_broker_peerstore.pkcs12";
    private static final String PEER_STORE_PASSWORD = "password";
    private static final String KEYSTORE = "ssl/java_client_keystore.pkcs12";
    private static final String CERT_ALIAS_APP_1 = "app1";
    private static final String CERT_ALIAS_APP_2 = "app2";
    private static final String TRUST_STORE = "ssl/java_broker_truststore.pkcs12";
    private static final String TRUST_STORE_PASSWORD = "password";
    private static final String CERT_ALIAS_UNTRUSTED_CLIENT = "untrusted_client";
    private static final String UNTRUSTED_KEYSTORE = "ssl/java_client_untrusted_keystore.pkcs12";

    private X509Certificate[] getClientChain(String str, String str2) throws Exception {
        Certificate[] certificateChain = SSLUtil.getInitializedKeyStore(str, "password", STORE_TYPE).getCertificateChain(str2);
        return (X509Certificate[]) Arrays.copyOf(certificateChain, certificateChain.length, X509Certificate[].class);
    }

    private void noCAinPeerStore(KeyStore keyStore) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            if (!aliases.nextElement().equalsIgnoreCase(CERT_ALIAS_APP_1)) {
                Assert.fail("Broker's peer store contains other certificate than client's  app1 public key");
            }
        }
    }

    @Test
    public void testQpidPeersOnlyTrustManager() throws Exception {
        KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(PEER_STORE, "password", STORE_TYPE);
        noCAinPeerStore(initializedKeyStore);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory.init(initializedKeyStore);
        QpidPeersOnlyTrustManager qpidPeersOnlyTrustManager = null;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                qpidPeersOnlyTrustManager = new QpidPeersOnlyTrustManager(initializedKeyStore, (X509TrustManager) trustManager);
            }
        }
        try {
            qpidPeersOnlyTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
        } catch (CertificateException e) {
            Assert.fail("Trusted client's validation against the broker's peer store manager failed.");
        }
        try {
            qpidPeersOnlyTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
            Assert.fail("Untrusted client's validation against the broker's peer store manager succeeded.");
        } catch (CertificateException e2) {
        }
        KeyStore initializedKeyStore2 = SSLUtil.getInitializedKeyStore(TRUST_STORE, "password", STORE_TYPE);
        TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory2.init(initializedKeyStore2);
        QpidPeersOnlyTrustManager qpidPeersOnlyTrustManager2 = null;
        for (TrustManager trustManager2 : trustManagerFactory2.getTrustManagers()) {
            if (trustManager2 instanceof X509TrustManager) {
                qpidPeersOnlyTrustManager2 = new QpidPeersOnlyTrustManager(initializedKeyStore2, (X509TrustManager) trustManager2);
            }
        }
        try {
            qpidPeersOnlyTrustManager2.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
            Assert.fail("Client's validation against the broker's peer store manager didn't fail.");
        } catch (CertificateException e3) {
        }
        try {
            qpidPeersOnlyTrustManager2.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
            Assert.fail("Client's validation against the broker's peer store manager didn't fail.");
        } catch (CertificateException e4) {
        }
    }

    @Test
    public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(TRUST_STORE, "password", STORE_TYPE);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory.init(initializedKeyStore);
        boolean z = false;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                qpidMultipleTrustManager.addTrustManager((X509TrustManager) trustManager);
                z = true;
            }
        }
        Assert.assertTrue("The regular trust manager for the trust store was not added", z);
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
        } catch (CertificateException e) {
            Assert.fail("Trusted client's validation against the broker's multi store manager failed.");
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
        } catch (CertificateException e2) {
            Assert.fail("Trusted client's validation against the broker's multi store manager failed.");
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(UNTRUSTED_KEYSTORE, CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
            Assert.fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
        } catch (CertificateException e3) {
        }
    }

    @Test
    public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(PEER_STORE, "password", STORE_TYPE);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory.init(initializedKeyStore);
        boolean z = false;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(initializedKeyStore, (X509TrustManager) trustManager));
                z = true;
            }
        }
        Assert.assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", z);
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
        } catch (CertificateException e) {
            Assert.fail("Trusted client's validation against the broker's multi store manager failed.");
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
            Assert.fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
        } catch (CertificateException e2) {
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(UNTRUSTED_KEYSTORE, CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
            Assert.fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
        } catch (CertificateException e3) {
        }
    }

    @Test
    public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(TRUST_STORE, "password", STORE_TYPE);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory.init(initializedKeyStore);
        boolean z = false;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                qpidMultipleTrustManager.addTrustManager((X509TrustManager) trustManager);
                z = true;
            }
        }
        Assert.assertTrue("The regular trust manager for the trust store was not added", z);
        KeyStore initializedKeyStore2 = SSLUtil.getInitializedKeyStore(PEER_STORE, "password", STORE_TYPE);
        TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory2.init(initializedKeyStore2);
        boolean z2 = false;
        for (TrustManager trustManager2 : trustManagerFactory2.getTrustManagers()) {
            if (trustManager2 instanceof X509TrustManager) {
                qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(initializedKeyStore2, (X509TrustManager) trustManager2));
                z2 = true;
            }
        }
        Assert.assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", z2);
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_1), "RSA");
        } catch (CertificateException e) {
            Assert.fail("Trusted client's validation against the broker's multi store manager failed.");
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(KEYSTORE, CERT_ALIAS_APP_2), "RSA");
        } catch (CertificateException e2) {
            Assert.fail("Trusted client's validation against the broker's multi store manager failed.");
        }
        try {
            qpidMultipleTrustManager.checkClientTrusted(getClientChain(UNTRUSTED_KEYSTORE, CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
            Assert.fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
        } catch (CertificateException e3) {
        }
    }
}
