package org.apache.qpid.server.security;

import java.io.File;
import java.nio.file.Path;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Map;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

/* loaded from: input_file:org/apache/qpid/server/security/NonJavaTrustStoreTest.class */
public class NonJavaTrustStoreTest extends UnitTestBase {

    @RegisterExtension
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker<?> BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
    private static final String NAME = "myTestTrustStore";
    private static final String NON_JAVA_TRUST_STORE = "NonJavaTrustStore";
    private static final String DN_FOO = "CN=foo";
    private static final String DN_CA = "CN=CA";
    private static final String DN_BAR = "CN=bar";
    private static final String NOT_A_CRL = "/not/a/crl";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/server/security/NonJavaTrustStoreTest$CertificateAndCrl.class */
    public static class CertificateAndCrl<T> {
        private final T _certificate;
        private final T _crl;
        private final KeyCertificatePair _ca;

        private CertificateAndCrl(T t, T t2, KeyCertificatePair keyCertificatePair) {
            this._certificate = t;
            this._crl = t2;
            this._ca = keyCertificatePair;
        }

        T getCertificate() {
            return this._certificate;
        }

        T getCrl() {
            return this._crl;
        }

        KeyCertificatePair getCa() {
            return this._ca;
        }
    }

    @Test
    public void testCreationOfTrustStoreWithoutCRL() throws Exception {
        TrustManager[] trustManagers = createTestTrustStore(Map.of("name", NAME, "certificatesUrl", TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{TlsResourceBuilder.createSelfSigned(DN_FOO, new AlternativeName[0]).getCertificate()}).toFile().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE, "certificateRevocationCheckEnabled", false)).getTrustManagers();
        Assertions.assertNotNull(trustManagers);
        Assertions.assertEquals(1, trustManagers.length, "Unexpected number of trust managers");
        Assertions.assertNotNull(trustManagers[0], "Trust manager unexpected null");
    }

    @Test
    public void testCreationOfTrustStoreFromValidCertificate() throws Exception {
        CertificateAndCrl<File> generateCertificateAndCrl = generateCertificateAndCrl();
        TrustManager[] trustManagers = createTestTrustStore(Map.of("name", NAME, "certificatesUrl", generateCertificateAndCrl.getCertificate().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE, "certificateRevocationCheckEnabled", true, "certificateRevocationListUrl", generateCertificateAndCrl.getCrl().getAbsolutePath())).getTrustManagers();
        Assertions.assertNotNull(trustManagers);
        Assertions.assertEquals(1, trustManagers.length, "Unexpected number of trust managers");
        Assertions.assertNotNull(trustManagers[0], "Trust manager unexpected null");
    }

    @Test
    public void testChangeOfCrlInTrustStoreFromValidCertificate() throws Exception {
        CertificateAndCrl<File> generateCertificateAndCrl = generateCertificateAndCrl();
        NonJavaTrustStore<?> createTestTrustStore = createTestTrustStore(Map.of("name", NAME, "certificatesUrl", generateCertificateAndCrl.getCertificate().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE, "certificateRevocationCheckEnabled", true, "certificateRevocationListUrl", generateCertificateAndCrl.getCrl().getAbsolutePath()));
        IllegalConfigurationException assertThrows = Assertions.assertThrows(IllegalConfigurationException.class, () -> {
            createTestTrustStore.setAttributes(Map.of("certificateRevocationListUrl", NOT_A_CRL));
        }, "Exception not thrown");
        Assertions.assertTrue(assertThrows.getMessage().contains(String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)), "Exception text not as unexpected:" + assertThrows.getMessage());
        Assertions.assertEquals(generateCertificateAndCrl.getCrl().getAbsolutePath(), createTestTrustStore.getCertificateRevocationListUrl(), "Unexpected CRL path value after failed change");
        Path createCrl = TLS_RESOURCE.createCrl(generateCertificateAndCrl.getCa(), new X509Certificate[0]);
        createTestTrustStore.setAttributes(Map.of("certificateRevocationListUrl", createCrl.toFile().getAbsolutePath()));
        Assertions.assertEquals(createCrl.toFile().getAbsolutePath(), createTestTrustStore.getCertificateRevocationListUrl(), "Unexpected CRL path value after change that is expected to be successful");
    }

    @Test
    public void testUseOfExpiredTrustAnchorDenied() throws Exception {
        KeyCertificatePair createExpiredCertificate = createExpiredCertificate();
        TrustManager[] trustManagers = createTestTrustStore(Map.of("name", NAME, "trustAnchorValidityEnforced", true, "certificatesUrl", TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{createExpiredCertificate.getCertificate()}).toFile().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE)).getTrustManagers();
        Assertions.assertNotNull(trustManagers);
        Assertions.assertEquals(1, trustManagers.length, "Unexpected number of trust managers");
        Assertions.assertTrue(trustManagers[0] instanceof X509TrustManager, "Unexpected trust manager type");
        X509TrustManager x509TrustManager = (X509TrustManager) trustManagers[0];
        CertificateException certificateException = (CertificateException) Assertions.assertThrows(CertificateException.class, () -> {
            x509TrustManager.checkClientTrusted(new X509Certificate[]{createExpiredCertificate.getCertificate()}, "NULL");
        }, "Exception not thrown");
        Assertions.assertTrue((certificateException instanceof CertificateExpiredException) || "Certificate expired".equals(certificateException.getMessage()));
    }

    @Test
    public void testCreationOfTrustStoreWithoutCertificate() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, Map.of("name", NAME, "certificatesUrl", generateCertificateAndCrl().getCrl().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE), "Cannot load certificate(s)");
    }

    @Test
    public void testCreationOfTrustStoreFromValidCertificate_MissingCrlFile() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, Map.of("name", NAME, "certificatesUrl", TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{TlsResourceBuilder.createSelfSigned(DN_FOO, new AlternativeName[0]).getCertificate()}).toFile().getAbsolutePath(), "type", NON_JAVA_TRUST_STORE, "certificateRevocationCheckEnabled", true, "certificateRevocationListUrl", NOT_A_CRL), String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME));
    }

    private KeyCertificatePair createExpiredCertificate() throws Exception {
        return TlsResourceBuilder.createSelfSigned(DN_FOO, Instant.now().minus(10L, (TemporalUnit) ChronoUnit.DAYS), Instant.now().minus(5L, (TemporalUnit) ChronoUnit.DAYS), new AlternativeName[0]);
    }

    private NonJavaTrustStore<?> createTestTrustStore(Map<String, Object> map) {
        return FACTORY.create(TrustStore.class, map, BROKER);
    }

    private CertificateAndCrl<File> generateCertificateAndCrl() throws Exception {
        KeyCertificatePair createKeyPairAndRootCA = TlsResourceBuilder.createKeyPairAndRootCA(DN_CA);
        return new CertificateAndCrl<>(TLS_RESOURCE.saveCertificateAsPem(new X509Certificate[]{createKeyPairAndRootCA.getCertificate()}).toFile(), TLS_RESOURCE.createCrl(createKeyPairAndRootCA, new X509Certificate[]{TlsResourceBuilder.createKeyPairAndCertificate(DN_FOO, createKeyPairAndRootCA, new AlternativeName[0]).getCertificate(), TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, createKeyPairAndRootCA, new AlternativeName[0]).getCertificate()}).toFile(), createKeyPairAndRootCA);
    }
}
