package org.apache.qpid.server.security;

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.security.cert.Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.CertificateEntry;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
import org.apache.qpid.test.utils.tls.SecretKeyEntry;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:org/apache/qpid/server/security/FileKeyStoreTest.class */
public class FileKeyStoreTest extends UnitTestBase {

    @ClassRule
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
    private static final String DN_FOO = "CN=foo";
    private static final String DN_BAR = "CN=bar";
    private static final String NAME = "myFileKeyStore";
    private static final String SECRET_KEY_ALIAS = "secret-key-alias";

    @Test
    public void testCreateKeyStoreFromFile_Success() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyManager[] keyManagers = createFileKeyStore(hashMap).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager unexpected null", keyManagers[0]);
    }

    @Test
    public void testCreateKeyStoreWithAliasFromFile_Success() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("certificateAlias", TLS_RESOURCE.getPrivateKeyAlias());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyManager[] keyManagers = createFileKeyStore(hashMap).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager unexpected null", keyManagers[0]);
    }

    @Test
    public void testCreateKeyStoreFromFile_WrongPassword() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret() + "_");
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Check key store password");
    }

    @Test
    public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        String str = TLS_RESOURCE.getPrivateKeyAlias() + "_";
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("certificateAlias", str);
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, String.format("Cannot find a certificate with alias '%s' in key store", str));
    }

    @Test
    public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception {
        Path createSelfSignedTrustStore = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedTrustStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("certificateAlias", TLS_RESOURCE.getCertificateAlias());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "does not identify a private key");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_Success() throws Exception {
        String createSelfSignedKeyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStoreAsDataUrl);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyManager[] keyManagers = createFileKeyStore(hashMap).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager unexpected null", keyManagers[0]);
    }

    @Test
    public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception {
        String createSelfSignedKeyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStoreAsDataUrl);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("certificateAlias", TLS_RESOURCE.getPrivateKeyAlias());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyManager[] keyManagers = createFileKeyStore(hashMap).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager unexpected null", keyManagers[0]);
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception {
        String createSelfSignedKeyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("password", TLS_RESOURCE.getSecret() + "_");
        hashMap.put("storeUrl", createSelfSignedKeyStoreAsDataUrl);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Check key store password");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() {
        String dataUrlForBytes = DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes());
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("storeUrl", dataUrlForBytes);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Cannot instantiate key store");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception {
        String createSelfSignedKeyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
        String str = TLS_RESOURCE.getPrivateKeyAlias() + "_";
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("storeUrl", createSelfSignedKeyStoreAsDataUrl);
        hashMap.put("certificateAlias", str);
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, String.format("Cannot find a certificate with alias '%s' in key store", str));
    }

    @Test
    public void testEmptyKeystoreRejected() throws Exception {
        Path createKeyStore = TLS_RESOURCE.createKeyStore(new KeyStoreEntry[0]);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("storeUrl", createKeyStore.toFile().getAbsolutePath());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "must contain at least one private key");
    }

    @Test
    public void testKeystoreWithNoPrivateKeyRejected() throws Exception {
        Path createSelfSignedTrustStore = TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("storeUrl", createSelfSignedTrustStore.toFile().getAbsolutePath());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "must contain at least one private key");
    }

    @Test
    public void testSymmetricKeysIgnored() throws Exception {
        Path createSelfSignedKeyStoreWithSecretKeyAndCertificate = createSelfSignedKeyStoreWithSecretKeyAndCertificate("jceks", DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("storeUrl", createSelfSignedKeyStoreWithSecretKeyAndCertificate);
        hashMap.put("keyStoreType", "jceks");
        Assert.assertNotNull(createFileKeyStore(hashMap));
    }

    @Test
    public void testUpdateKeyStore_Success() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        hashMap.put("keyStoreType", TLS_RESOURCE.getKeyStoreType());
        FileKeyStore<?> createFileKeyStore = createFileKeyStore(hashMap);
        Assert.assertNull("Unexpected alias value before change", createFileKeyStore.getCertificateAlias());
        String str = TLS_RESOURCE.getSecret() + "_";
        HashMap hashMap2 = new HashMap();
        hashMap2.put("certificateAlias", str);
        try {
            createFileKeyStore.setAttributes(hashMap2);
            Assert.fail("Exception not thrown");
        } catch (IllegalConfigurationException e) {
            String message = e.getMessage();
            Assert.assertTrue("Exception text not as unexpected:" + message, message.contains(String.format("Cannot find a certificate with alias '%s' in key store", str)));
        }
        Assert.assertNull("Unexpected alias value after failed change", createFileKeyStore.getCertificateAlias());
        HashMap hashMap3 = new HashMap();
        hashMap3.put("certificateAlias", TLS_RESOURCE.getPrivateKeyAlias());
        createFileKeyStore.setAttributes(hashMap3);
        Assert.assertEquals("Unexpected alias value after change that is expected to be successful", TLS_RESOURCE.getPrivateKeyAlias(), createFileKeyStore.getCertificateAlias());
    }

    @Test
    public void testReloadKeystore() throws Exception {
        Path createSelfSignedKeyStoreWithCertificate = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
        Path createSelfSignedKeyStoreWithCertificate2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("storeUrl", createSelfSignedKeyStoreWithCertificate.toFile().getAbsolutePath());
        hashMap.put("password", TLS_RESOURCE.getSecret());
        FileKeyStore<?> createFileKeyStore = createFileKeyStore(hashMap);
        Assert.assertEquals(DN_FOO, getCertificate(createFileKeyStore).getIssuerName());
        Files.copy(createSelfSignedKeyStoreWithCertificate2, createSelfSignedKeyStoreWithCertificate, StandardCopyOption.REPLACE_EXISTING);
        createFileKeyStore.reload();
        Assert.assertEquals(DN_BAR, getCertificate(createFileKeyStore).getIssuerName());
    }

    private FileKeyStore<?> createFileKeyStore(Map<String, Object> map) {
        return FACTORY.create(KeyStore.class, map, BROKER);
    }

    private CertificateDetails getCertificate(FileKeyStore<?> fileKeyStore) {
        List certificateDetails = fileKeyStore.getCertificateDetails();
        Assert.assertNotNull(certificateDetails);
        Assert.assertEquals(1L, certificateDetails.size());
        return (CertificateDetails) certificateDetails.get(0);
    }

    public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(String str, String str2) throws Exception {
        KeyCertificatePair createSelfSigned = TlsResourceBuilder.createSelfSigned(str2, new AlternativeName[0]);
        return TLS_RESOURCE.createKeyStore(str, new KeyStoreEntry[]{new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(), createSelfSigned.getPrivateKey(), new Certificate[]{createSelfSigned.getCertificate()}), new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), createSelfSigned.getCertificate()), new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey())});
    }
}
