package org.apache.qpid.server.ssl;

import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.CertificateEntry;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/qpid/server/ssl/TrustManagerTest.class */
public class TrustManagerTest extends UnitTestBase {
    private static final String DEFAULT_TRUST_MANAGER_ALGORITHM = TrustManagerFactory.getDefaultAlgorithm();
    private static final String TEST_ALIAS = "test";
    private static final String DN_CA = "CN=MyRootCA,O=ACME,ST=Ontario,C=CA";
    private static final String DN_APP1 = "CN=app1@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
    private static final String DN_APP2 = "CN=app2@acme.org,OU=art,O=acme,L=Toronto,ST=ON,C=CA";
    private static final String DN_UNTRUSTED = "CN=untrusted_client";
    private static X509Certificate _ca;
    private static X509Certificate _app1;
    private static X509Certificate _app2;
    private static X509Certificate _untrusted;

    @BeforeAll
    public static void setUp() throws Exception {
        KeyCertificatePair createKeyPairAndRootCA = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
        KeyPair createRSAKeyPair = TlsResourceBuilder.createRSAKeyPair();
        KeyPair createRSAKeyPair2 = TlsResourceBuilder.createRSAKeyPair();
        KeyCertificatePair createSelfSigned = TlsResourceBuilder.createSelfSigned(DN_UNTRUSTED, new AlternativeName[0]);
        _ca = createKeyPairAndRootCA.getCertificate();
        _app1 = TlsResourceBuilder.createCertificateForClientAuthorization(createRSAKeyPair, createKeyPairAndRootCA, DN_APP1, new AlternativeName[0]);
        _app2 = TlsResourceBuilder.createCertificateForClientAuthorization(createRSAKeyPair2, createKeyPairAndRootCA, DN_APP2, new AlternativeName[0]);
        _untrusted = createSelfSigned.getCertificate();
    }

    @Test
    public void testQpidPeersOnlyTrustManager() throws Exception {
        X509TrustManager createPeerManager = createPeerManager(_app1);
        Assertions.assertDoesNotThrow(() -> {
            createPeerManager.checkClientTrusted(new X509Certificate[]{_app1, _ca}, "RSA");
        }, "Trusted client's validation against the broker's peer store manager failed.");
        Assertions.assertThrows(CertificateException.class, () -> {
            createPeerManager.checkClientTrusted(new X509Certificate[]{_app2, _ca}, "RSA");
        }, "Untrusted client's validation against the broker's peer store manager succeeded.");
        X509TrustManager createPeerManager2 = createPeerManager(_ca);
        Assertions.assertThrows(CertificateException.class, () -> {
            createPeerManager2.checkClientTrusted(new X509Certificate[]{_app1, _ca}, "RSA");
        }, "Client's validation against the broker's peer store manager didn't fail.");
        Assertions.assertThrows(CertificateException.class, () -> {
            createPeerManager2.checkClientTrusted(new X509Certificate[]{_app2, _ca}, "RSA");
        }, "Client's validation against the broker's peer store manager didn't fail.");
    }

    @Test
    public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        X509TrustManager createTrustManager = createTrustManager(_ca);
        Assertions.assertNotNull(createTrustManager, "The regular trust manager for the trust store was not found");
        qpidMultipleTrustManager.addTrustManager(createTrustManager);
        Assertions.assertDoesNotThrow(() -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca}, "RSA");
        }, "Trusted client's validation against the broker's multi store manager failed.");
        Assertions.assertDoesNotThrow(() -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca}, "RSA");
        }, "Trusted client's validation against the broker's multi store manager failed.");
        Assertions.assertThrows(CertificateException.class, () -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted}, "RSA");
        }, "Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    }

    @Test
    public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        KeyStore createKeyStore = createKeyStore(_app1);
        X509TrustManager x509TrustManager = getX509TrustManager(createKeyStore);
        Assertions.assertNotNull(x509TrustManager, "The regular trust manager for the trust store was not found");
        qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(createKeyStore, x509TrustManager));
        Assertions.assertDoesNotThrow(() -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca}, "RSA");
        }, "Trusted client's validation against the broker's multi store manager failed.");
        Assertions.assertThrows(CertificateException.class, () -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca}, "RSA");
        }, "Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
        Assertions.assertThrows(CertificateException.class, () -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted}, "RSA");
        }, "Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    }

    @Test
    public void testQpidMultipleTrustManagerWithTrustAndPeerStores() throws Exception {
        QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
        KeyStore createKeyStore = createKeyStore(_ca);
        X509TrustManager x509TrustManager = getX509TrustManager(createKeyStore);
        Assertions.assertNotNull(x509TrustManager, "The regular trust manager for the trust store was not found");
        qpidMultipleTrustManager.addTrustManager(x509TrustManager);
        KeyStore createKeyStore2 = createKeyStore(_app1);
        X509TrustManager x509TrustManager2 = getX509TrustManager(createKeyStore);
        Assertions.assertNotNull(x509TrustManager2, "The regular trust manager for the peer store was not found");
        qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(createKeyStore2, x509TrustManager2));
        Assertions.assertDoesNotThrow(() -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app1, _ca}, "RSA");
        }, "Trusted client's validation against the broker's multi store manager failed.");
        Assertions.assertDoesNotThrow(() -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_app2, _ca}, "RSA");
        }, "Trusted client's validation against the broker's multi store manager failed.");
        Assertions.assertThrows(CertificateException.class, () -> {
            qpidMultipleTrustManager.checkClientTrusted(new X509Certificate[]{_untrusted}, "RSA");
        }, "Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    }

    private KeyStore createKeyStore(X509Certificate x509Certificate) throws Exception {
        return TlsResourceHelper.createKeyStore(KeyStore.getDefaultType(), new char[0], new KeyStoreEntry[]{new CertificateEntry(TEST_ALIAS, x509Certificate)});
    }

    private X509TrustManager createTrustManager(X509Certificate x509Certificate) throws Exception {
        return getX509TrustManager(createKeyStore(x509Certificate));
    }

    private X509TrustManager getX509TrustManager(KeyStore keyStore) throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
        trustManagerFactory.init(keyStore);
        X509TrustManager x509TrustManager = null;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
            }
        }
        return x509TrustManager;
    }

    private X509TrustManager createPeerManager(X509Certificate x509Certificate) throws Exception {
        return new QpidPeersOnlyTrustManager(createKeyStore(x509Certificate), createTrustManager(x509Certificate));
    }
}
