package org.apache.qpid.server.transport;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.net.InetSocketAddress;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.HashMap;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.SystemLauncher;
import org.apache.qpid.server.SystemLauncherListener;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.SystemConfig;
import org.apache.qpid.server.model.Transport;
import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AltNameType;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:org/apache/qpid/server/transport/SNITest.class */
public class SNITest extends UnitTestBase {

    @ClassRule
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final int SOCKET_TIMEOUT = 10000;
    private File _keyStoreFile;
    private KeyCertificatePair _fooValid;
    private KeyCertificatePair _fooInvalid;
    private KeyCertificatePair _barInvalid;
    private SystemLauncher _systemLauncher;
    private Broker<?> _broker;
    private int _boundPort;
    private File _brokerWork;

    @Before
    public void setUp() throws Exception {
        Instant minus = Instant.now().minus(1L, (TemporalUnit) ChronoUnit.DAYS);
        Instant plus = Instant.now().plus(1L, (TemporalUnit) ChronoUnit.HOURS);
        this._fooValid = TlsResourceBuilder.createSelfSigned("CN=foo", minus, minus.plus(365L, (TemporalUnit) ChronoUnit.DAYS), new AlternativeName[0]);
        this._fooInvalid = TlsResourceBuilder.createSelfSigned("CN=foo", plus, plus.plus(365L, (TemporalUnit) ChronoUnit.DAYS), new AlternativeName[0]);
        this._barInvalid = TlsResourceBuilder.createSelfSigned("CN=Qpid", plus, plus.plus(365L, (TemporalUnit) ChronoUnit.DAYS), new AlternativeName[]{new AlternativeName(AltNameType.DNS_NAME, "bar")});
        this._keyStoreFile = TLS_RESOURCE.createKeyStore(new KeyStoreEntry[]{new PrivateKeyEntry("foovalid", this._fooValid.getPrivateKey(), new Certificate[]{this._fooValid.getCertificate()}), new PrivateKeyEntry("fooinvalid", this._fooInvalid.getPrivateKey(), new Certificate[]{this._fooInvalid.getCertificate()}), new PrivateKeyEntry("barinvalid", this._barInvalid.getPrivateKey(), new Certificate[]{this._barInvalid.getCertificate()})}).toFile();
    }

    @After
    public void tearDown() throws Exception {
        if (this._systemLauncher != null) {
            this._systemLauncher.shutdown();
        }
        if (this._brokerWork != null) {
            this._brokerWork.delete();
        }
    }

    @Test
    public void testValidCertChosen() throws Exception {
        performTest(true, "fooinvalid", "foo", this._fooValid);
    }

    @Test
    public void testMatchCertChosenEvenIfInvalid() throws Exception {
        performTest(true, "fooinvalid", "bar", this._barInvalid);
    }

    @Test
    public void testDefaultCertChose() throws Exception {
        performTest(true, "fooinvalid", null, this._fooInvalid);
    }

    @Test
    public void testMatchingCanBeDisabled() throws Exception {
        performTest(false, "fooinvalid", "foo", this._fooInvalid);
    }

    private void performTest(boolean z, String str, String str2, KeyCertificatePair keyCertificatePair) throws Exception {
        doBrokerStartup(z, str);
        SSLContext tryGetSSLContext = SSLUtil.tryGetSSLContext();
        tryGetSSLContext.init(null, new TrustManager[]{new X509TrustManager() { // from class: org.apache.qpid.server.transport.SNITest.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str3) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str3) {
            }
        }}, null);
        SSLSocket sSLSocket = (SSLSocket) tryGetSSLContext.getSocketFactory().createSocket();
        Throwable th = null;
        try {
            try {
                SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                if (str2 != null) {
                    sSLParameters.setServerNames(Collections.singletonList(new SNIHostName(str2)));
                }
                sSLSocket.setSSLParameters(sSLParameters);
                sSLSocket.connect(new InetSocketAddress("localhost", this._boundPort), SOCKET_TIMEOUT);
                Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
                Assert.assertEquals(1L, peerCertificates.length);
                Assert.assertEquals(keyCertificatePair.getCertificate(), peerCertificates[0]);
                if (sSLSocket != null) {
                    if (0 == 0) {
                        sSLSocket.close();
                        return;
                    }
                    try {
                        sSLSocket.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sSLSocket != null) {
                if (th != null) {
                    try {
                        sSLSocket.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sSLSocket.close();
                }
            }
            throw th4;
        }
    }

    private void doBrokerStartup(boolean z, String str) throws Exception {
        File createInitialContext = createInitialContext();
        this._brokerWork = TestFileUtils.createTestDirectory("qpid-work", true);
        HashMap hashMap = new HashMap();
        hashMap.put("qpid.work_dir", this._brokerWork.toString());
        HashMap hashMap2 = new HashMap();
        hashMap2.put("initialConfigurationLocation", createInitialContext.getAbsolutePath());
        hashMap2.put("type", "JSON");
        hashMap2.put("context", hashMap);
        this._systemLauncher = new SystemLauncher(new SystemLauncherListener.DefaultSystemLauncherListener() { // from class: org.apache.qpid.server.transport.SNITest.2
            public void onContainerResolve(SystemConfig<?> systemConfig) {
                SNITest.this._broker = systemConfig.getContainer(Broker.class);
            }
        });
        this._systemLauncher.startup(hashMap2);
        HashMap hashMap3 = new HashMap();
        hashMap3.put("name", "myAuthProvider");
        hashMap3.put("type", "Anonymous");
        AuthenticationProvider createChild = this._broker.createChild(AuthenticationProvider.class, hashMap3);
        HashMap hashMap4 = new HashMap();
        hashMap4.put("name", "myKeyStore");
        hashMap4.put("storeUrl", this._keyStoreFile.toURI().toURL().toString());
        hashMap4.put("password", TLS_RESOURCE.getSecret());
        hashMap4.put("useHostNameMatching", Boolean.valueOf(z));
        hashMap4.put("certificateAlias", str);
        KeyStore createChild2 = this._broker.createChild(KeyStore.class, hashMap4);
        HashMap hashMap5 = new HashMap();
        hashMap5.put("name", "myPort");
        hashMap5.put("type", KerberosUtilities.SERVER_PROTOCOL);
        hashMap5.put("transports", Collections.singleton(Transport.SSL));
        hashMap5.put("port", 0);
        hashMap5.put("authenticationProvider", createChild);
        hashMap5.put("keyStore", createChild2);
        this._boundPort = this._broker.createChild(Port.class, hashMap5).getBoundPort();
    }

    private File createInitialContext() throws JsonProcessingException {
        HashMap hashMap = new HashMap();
        hashMap.put("name", "test");
        hashMap.put("modelVersion", "8.0");
        return TestFileUtils.createTempFile(this, ".initial-config.json", new ObjectMapper().writeValueAsString(hashMap));
    }
}
