package org.apache.qpid.server.security;

import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.logging.MessageLogger;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.TestSSLUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatcher;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.internal.verification.VerificationModeFactory;

/* loaded from: input_file:org/apache/qpid/server/security/NonJavaKeyStoreTest.class */
public class NonJavaKeyStoreTest extends UnitTestBase {
    private static final String KEYSTORE = "/ssl/java_broker_keystore.pkcs12";
    private Broker<?> _broker;
    private ConfiguredObjectFactory _factory;
    private List<File> _testResources;
    private MessageLogger _messageLogger;

    /* loaded from: input_file:org/apache/qpid/server/security/NonJavaKeyStoreTest$LogMessageArgumentMatcher.class */
    private static class LogMessageArgumentMatcher implements ArgumentMatcher<LogMessage> {
        private LogMessageArgumentMatcher() {
        }

        public boolean matches(LogMessage logMessage) {
            return logMessage.getLogHierarchy().equals("qpid.message.keystore.expiring");
        }
    }

    @Before
    public void setUp() throws Exception {
        this._messageLogger = (MessageLogger) Mockito.mock(MessageLogger.class);
        this._broker = BrokerTestHelper.createBrokerMock();
        Mockito.when(this._broker.getEventLogger()).thenReturn(new EventLogger(this._messageLogger));
        this._factory = this._broker.getObjectFactory();
        this._testResources = new ArrayList();
    }

    @After
    public void tearDown() throws Exception {
        Iterator<File> it = this._testResources.iterator();
        while (it.hasNext()) {
            try {
                it.next().delete();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    private File[] extractResourcesFromTestKeyStore(boolean z, String str) throws Exception {
        File createTempFile;
        FileOutputStream fileOutputStream;
        Throwable th;
        KeyStore keyStore = KeyStore.getInstance("pkcs12");
        InputStream resourceAsStream = getClass().getResourceAsStream(str);
        Throwable th2 = null;
        try {
            try {
                keyStore.load(resourceAsStream, "password".toCharArray());
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
                createTempFile = TestFileUtils.createTempFile(this, ".private-key.der");
                fileOutputStream = new FileOutputStream(createTempFile);
                th = null;
            } finally {
            }
            try {
                try {
                    Key key = keyStore.getKey("java-broker", "password".toCharArray());
                    if (z) {
                        fileOutputStream.write(TestSSLUtils.privateKeyToPEM(key).getBytes(StandardCharsets.UTF_8));
                    } else {
                        fileOutputStream.write(key.getEncoded());
                    }
                    fileOutputStream.flush();
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    File createTempFile2 = TestFileUtils.createTempFile(this, ".certificate.der");
                    fileOutputStream = new FileOutputStream(createTempFile2);
                    Throwable th5 = null;
                    try {
                        try {
                            Certificate certificate = keyStore.getCertificate("java-broker");
                            if (z) {
                                fileOutputStream.write(TestSSLUtils.certificateToPEM(certificate).getBytes(StandardCharsets.UTF_8));
                            } else {
                                fileOutputStream.write(certificate.getEncoded());
                            }
                            fileOutputStream.flush();
                            if (fileOutputStream != null) {
                                if (0 != 0) {
                                    try {
                                        fileOutputStream.close();
                                    } catch (Throwable th6) {
                                        th5.addSuppressed(th6);
                                    }
                                } else {
                                    fileOutputStream.close();
                                }
                            }
                            return new File[]{createTempFile, createTempFile2};
                        } finally {
                        }
                    } finally {
                    }
                } finally {
                }
            } finally {
            }
        } catch (Throwable th7) {
            if (resourceAsStream != null) {
                if (th2 != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th8) {
                        th2.addSuppressed(th8);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            throw th7;
        }
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDERFormat() throws Exception {
        runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(false);
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInPEMFormat() throws Exception {
        runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(true);
    }

    private void runTestCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDerFormat(boolean z) throws Exception {
        File[] extractResourcesFromTestKeyStore = extractResourcesFromTestKeyStore(z, KEYSTORE);
        this._testResources.addAll(Arrays.asList(extractResourcesFromTestKeyStore));
        HashMap hashMap = new HashMap();
        hashMap.put("name", "myTestTrustStore");
        hashMap.put("privateKeyUrl", extractResourcesFromTestKeyStore[0].toURI().toURL().toExternalForm());
        hashMap.put("certificateUrl", extractResourcesFromTestKeyStore[1].toURI().toURL().toExternalForm());
        hashMap.put("type", "NonJavaKeyStore");
        KeyManager[] keyManagers = this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager is null", keyManagers[0]);
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate() throws Exception {
        File[] extractResourcesFromTestKeyStore = extractResourcesFromTestKeyStore(true, KEYSTORE);
        this._testResources.addAll(Arrays.asList(extractResourcesFromTestKeyStore));
        File createTempFile = TestFileUtils.createTempFile(this, ".invalid.cert", "content");
        this._testResources.add(createTempFile);
        HashMap hashMap = new HashMap();
        hashMap.put("name", "myTestTrustStore");
        hashMap.put("privateKeyUrl", extractResourcesFromTestKeyStore[0].toURI().toURL().toExternalForm());
        hashMap.put("certificateUrl", createTempFile.toURI().toURL().toExternalForm());
        hashMap.put("type", "NonJavaKeyStore");
        try {
            this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker);
            Assert.fail("Created key store from invalid certificate");
        } catch (IllegalConfigurationException e) {
        }
    }

    @Test
    public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate() throws Exception {
        File[] extractResourcesFromTestKeyStore = extractResourcesFromTestKeyStore(true, KEYSTORE);
        this._testResources.addAll(Arrays.asList(extractResourcesFromTestKeyStore));
        File createTempFile = TestFileUtils.createTempFile(this, ".invalid.pk", "content");
        this._testResources.add(createTempFile);
        HashMap hashMap = new HashMap();
        hashMap.put("name", "myTestTrustStore");
        hashMap.put("privateKeyUrl", createTempFile.toURI().toURL().toExternalForm());
        hashMap.put("certificateUrl", extractResourcesFromTestKeyStore[1].toURI().toURL().toExternalForm());
        hashMap.put("type", "NonJavaKeyStore");
        try {
            this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker);
            Assert.fail("Created key store from invalid certificate");
        } catch (IllegalConfigurationException e) {
        }
    }

    @Test
    public void testExpiryCheckingFindsExpired() throws Exception {
        doCertExpiryChecking(1);
        ((MessageLogger) Mockito.verify(this._messageLogger, VerificationModeFactory.times(1))).message((LogMessage) ArgumentMatchers.argThat(new LogMessageArgumentMatcher()));
    }

    @Test
    public void testExpiryCheckingIgnoresValid() throws Exception {
        doCertExpiryChecking(-1);
        ((MessageLogger) Mockito.verify(this._messageLogger, Mockito.never())).message((LogMessage) ArgumentMatchers.argThat(new LogMessageArgumentMatcher()));
    }

    private void doCertExpiryChecking(int i) throws Exception {
        Mockito.when(this._broker.scheduleHouseKeepingTask(ArgumentMatchers.anyLong(), (TimeUnit) ArgumentMatchers.any(TimeUnit.class), (Runnable) ArgumentMatchers.any(Runnable.class))).thenReturn(Mockito.mock(ScheduledFuture.class));
        KeyStore keyStore = KeyStore.getInstance("pkcs12");
        InputStream resourceAsStream = getClass().getResourceAsStream(KEYSTORE);
        Throwable th = null;
        try {
            try {
                keyStore.load(resourceAsStream, "password".toCharArray());
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
                int time = (int) ((((X509Certificate) keyStore.getCertificate("rootca")).getNotAfter().getTime() - System.currentTimeMillis()) / 86400000);
                File[] extractResourcesFromTestKeyStore = extractResourcesFromTestKeyStore(false, KEYSTORE);
                this._testResources.addAll(Arrays.asList(extractResourcesFromTestKeyStore));
                HashMap hashMap = new HashMap();
                hashMap.put("name", "myTestTrustStore");
                hashMap.put("privateKeyUrl", extractResourcesFromTestKeyStore[0].toURI().toURL().toExternalForm());
                hashMap.put("certificateUrl", extractResourcesFromTestKeyStore[1].toURI().toURL().toExternalForm());
                hashMap.put("context", Collections.singletonMap("qpid.keystore.certificateExpiryWarnPeriod", Integer.valueOf(time + i)));
                hashMap.put("type", "NonJavaKeyStore");
                this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker);
            } finally {
            }
        } catch (Throwable th3) {
            if (resourceAsStream != null) {
                if (th != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testCreationOfKeyStoreWithNonMatchingPrivateKeyAndCertificate() throws Exception {
        Assume.assumeThat(Boolean.valueOf(SSLUtil.canGenerateCerts()), CoreMatchers.is(true));
        SSLUtil.KeyCertPair generateSelfSignedCertificate = generateSelfSignedCertificate();
        SSLUtil.KeyCertPair generateSelfSignedCertificate2 = generateSelfSignedCertificate();
        HashMap hashMap = new HashMap();
        hashMap.put("name", "myTestTrustStore");
        hashMap.put("privateKeyUrl", DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(generateSelfSignedCertificate.getPrivateKey()).getBytes(StandardCharsets.UTF_8)));
        hashMap.put("certificateUrl", DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(generateSelfSignedCertificate2.getCertificate()).getBytes(StandardCharsets.UTF_8)));
        hashMap.put("type", "NonJavaKeyStore");
        try {
            this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker);
            Assert.fail("Created key store from invalid certificate");
        } catch (IllegalConfigurationException e) {
        }
    }

    @Test
    public void testUpdateKeyStoreToNonMatchingCertificate() throws Exception {
        Assume.assumeThat(Boolean.valueOf(SSLUtil.canGenerateCerts()), CoreMatchers.is(true));
        SSLUtil.KeyCertPair generateSelfSignedCertificate = generateSelfSignedCertificate();
        SSLUtil.KeyCertPair generateSelfSignedCertificate2 = generateSelfSignedCertificate();
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("privateKeyUrl", DataUrlUtils.getDataUrlForBytes(TestSSLUtils.privateKeyToPEM(generateSelfSignedCertificate.getPrivateKey()).getBytes(StandardCharsets.UTF_8)));
        hashMap.put("certificateUrl", DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(generateSelfSignedCertificate.getCertificate()).getBytes(StandardCharsets.UTF_8)));
        hashMap.put("type", "NonJavaKeyStore");
        try {
            this._factory.create(org.apache.qpid.server.model.KeyStore.class, hashMap, this._broker).setAttributes(Collections.singletonMap("certificateUrl", DataUrlUtils.getDataUrlForBytes(TestSSLUtils.certificateToPEM(generateSelfSignedCertificate2.getCertificate()).getBytes(StandardCharsets.UTF_8))));
            Assert.fail("Created key store from invalid certificate");
        } catch (IllegalConfigurationException e) {
        }
    }

    private SSLUtil.KeyCertPair generateSelfSignedCertificate() throws Exception {
        return SSLUtil.generateSelfSignedCertificate("RSA", "SHA256WithRSA", 2048, Instant.now().minus(1L, (TemporalUnit) ChronoUnit.DAYS).toEpochMilli(), Duration.of(365L, ChronoUnit.DAYS).getSeconds(), "CN=foo", Collections.emptySet(), Collections.emptySet());
    }
}
