package org.apache.qpid.server.security;

import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.LogMessage;
import org.apache.qpid.server.logging.MessageLogger;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.Assert;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;
import org.mockito.ArgumentMatcher;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.internal.verification.VerificationModeFactory;

/* loaded from: input_file:org/apache/qpid/server/security/NonJavaKeyStoreTest.class */
public class NonJavaKeyStoreTest extends UnitTestBase {
    private static final String DN_FOO = "CN=foo";
    private static final String NAME = "myTestTrustStore";
    private static final String NON_JAVA_KEY_STORE = "NonJavaKeyStore";
    private MessageLogger _messageLogger;
    private KeyCertificatePair _keyCertPair;

    @ClassRule
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();

    /* loaded from: input_file:org/apache/qpid/server/security/NonJavaKeyStoreTest$LogMessageArgumentMatcher.class */
    private static class LogMessageArgumentMatcher implements ArgumentMatcher<LogMessage> {
        private LogMessageArgumentMatcher() {
        }

        public boolean matches(LogMessage logMessage) {
            return logMessage.getLogHierarchy().equals("qpid.message.keystore.expiring");
        }
    }

    @Before
    public void setUp() throws Exception {
        this._messageLogger = (MessageLogger) Mockito.mock(MessageLogger.class);
        Mockito.when(BROKER.getEventLogger()).thenReturn(new EventLogger(this._messageLogger));
        this._keyCertPair = generateSelfSignedCertificate();
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInDERFormat() throws Exception {
        assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(TLS_RESOURCE.savePrivateKeyAsDer(this._keyCertPair.getPrivateKey()), TLS_RESOURCE.saveCertificateAsDer(this._keyCertPair.getCertificate()));
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndCertificateInPEMFormat() throws Exception {
        assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(TLS_RESOURCE.savePrivateKeyAsPem(this._keyCertPair.getPrivateKey()), TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{this._keyCertPair.getCertificate()}));
    }

    private void assertCreationOfTrustStoreFromValidPrivateKeyAndCertificate(Path path, Path path2) throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("privateKeyUrl", path.toFile().getAbsolutePath());
        hashMap.put("certificateUrl", path2.toFile().getAbsolutePath());
        hashMap.put("type", NON_JAVA_KEY_STORE);
        KeyManager[] keyManagers = createTestKeyStore(hashMap).getKeyManagers();
        Assert.assertNotNull(keyManagers);
        Assert.assertEquals("Unexpected number of key managers", 1L, keyManagers.length);
        Assert.assertNotNull("Key manager is null", keyManagers[0]);
    }

    @Test
    public void testCreationOfTrustStoreFromValidPrivateKeyAndInvalidCertificate() throws Exception {
        Path savePrivateKeyAsPem = TLS_RESOURCE.savePrivateKeyAsPem(this._keyCertPair.getPrivateKey());
        Path createFile = TLS_RESOURCE.createFile(".cer");
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("privateKeyUrl", savePrivateKeyAsPem.toFile().getAbsolutePath());
        hashMap.put("certificateUrl", createFile.toFile().getAbsolutePath());
        hashMap.put("type", NON_JAVA_KEY_STORE);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Cannot load private key or certificate(s)");
    }

    @Test
    public void testCreationOfTrustStoreFromInvalidPrivateKeyAndValidCertificate() throws Exception {
        Path createFile = TLS_RESOURCE.createFile(".pk");
        Path saveCertificateAsPem = TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{this._keyCertPair.getCertificate()});
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("privateKeyUrl", createFile.toFile().getAbsolutePath());
        hashMap.put("certificateUrl", saveCertificateAsPem.toFile().getAbsolutePath());
        hashMap.put("type", NON_JAVA_KEY_STORE);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Cannot load private key or certificate(s): java.security.spec.InvalidKeySpecException: Unable to parse key as PKCS#1 format");
    }

    @Test
    public void testExpiryCheckingFindsExpired() throws Exception {
        doCertExpiryChecking(1);
        ((MessageLogger) Mockito.verify(this._messageLogger, VerificationModeFactory.times(1))).message((LogMessage) ArgumentMatchers.argThat(new LogMessageArgumentMatcher()));
    }

    @Test
    public void testExpiryCheckingIgnoresValid() throws Exception {
        doCertExpiryChecking(-1);
        ((MessageLogger) Mockito.verify(this._messageLogger, Mockito.never())).message((LogMessage) ArgumentMatchers.argThat(new LogMessageArgumentMatcher()));
    }

    private void doCertExpiryChecking(int i) throws Exception {
        Mockito.when(BROKER.scheduleHouseKeepingTask(ArgumentMatchers.anyLong(), (TimeUnit) ArgumentMatchers.any(TimeUnit.class), (Runnable) ArgumentMatchers.any(Runnable.class))).thenReturn((ScheduledFuture) Mockito.mock(ScheduledFuture.class));
        Path savePrivateKeyAsDer = TLS_RESOURCE.savePrivateKeyAsDer(this._keyCertPair.getPrivateKey());
        Path saveCertificateAsDer = TLS_RESOURCE.saveCertificateAsDer(this._keyCertPair.getCertificate());
        long between = ChronoUnit.DAYS.between(Instant.now(), this._keyCertPair.getCertificate().getNotAfter().toInstant());
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("privateKeyUrl", savePrivateKeyAsDer.toFile().getAbsolutePath());
        hashMap.put("certificateUrl", saveCertificateAsDer.toFile().getAbsolutePath());
        hashMap.put("context", Collections.singletonMap("qpid.keystore.certificateExpiryWarnPeriod", Long.valueOf(between + i)));
        hashMap.put("type", NON_JAVA_KEY_STORE);
        createTestKeyStore(hashMap);
    }

    @Test
    public void testCreationOfKeyStoreWithNonMatchingPrivateKeyAndCertificate() throws Exception {
        KeyCertificatePair generateSelfSignedCertificate = generateSelfSignedCertificate();
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("privateKeyUrl", getPrivateKeyAsDataUrl(this._keyCertPair.getPrivateKey()));
        hashMap.put("certificateUrl", getCertificateAsDataUrl(generateSelfSignedCertificate.getCertificate()));
        hashMap.put("type", NON_JAVA_KEY_STORE);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, hashMap, "Private key does not match certificate");
    }

    @Test
    public void testUpdateKeyStoreToNonMatchingCertificate() throws Exception {
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("privateKeyUrl", getPrivateKeyAsDataUrl(this._keyCertPair.getPrivateKey()));
        hashMap.put("certificateUrl", getCertificateAsDataUrl(this._keyCertPair.getCertificate()));
        hashMap.put("type", NON_JAVA_KEY_STORE);
        try {
            createTestKeyStore(hashMap).setAttributes(Collections.singletonMap("certificateUrl", getCertificateAsDataUrl(generateSelfSignedCertificate().getCertificate())));
            Assert.fail("Created key store from invalid certificate");
        } catch (IllegalConfigurationException e) {
        }
    }

    private KeyStore<?> createTestKeyStore(Map<String, Object> map) {
        return FACTORY.create(KeyStore.class, map, BROKER);
    }

    private String getCertificateAsDataUrl(X509Certificate x509Certificate) throws CertificateEncodingException {
        return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(x509Certificate).getBytes(StandardCharsets.UTF_8));
    }

    private String getPrivateKeyAsDataUrl(PrivateKey privateKey) {
        return DataUrlUtils.getDataUrlForBytes(TlsResourceHelper.toPEM(privateKey).getBytes(StandardCharsets.UTF_8));
    }

    private KeyCertificatePair generateSelfSignedCertificate() throws Exception {
        return TlsResourceBuilder.createSelfSigned(DN_FOO, new AlternativeName[0]);
    }
}
