package org.apache.sshd.certificates;

import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import org.apache.sshd.common.BaseBuilder;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.config.keys.PublicKeyEntry;
import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.io.IoUtils;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.NoIoTestCase;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
@Category({NoIoTestCase.class})
/* loaded from: input_file:org/apache/sshd/certificates/OpenSSHCertificateParserTest.class */
public class OpenSSHCertificateParserTest extends BaseTestSupport {
    private static final String USER_KEY_PATH = "org/apache/sshd/client/opensshcerts/user/";
    private TestParams params;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sshd/certificates/OpenSSHCertificateParserTest$TestParams.class */
    public static class TestParams {
        private final String sigAlgorithm;
        private final String privateKey;

        TestParams(String str, String str2) {
            this.sigAlgorithm = str;
            this.privateKey = str2;
        }
    }

    public OpenSSHCertificateParserTest(TestParams testParams) {
        this.params = testParams;
    }

    @Parameterized.Parameters(name = "{0}")
    public static Iterable<? extends TestParams> privateKeyParams() {
        return Arrays.asList(new TestParams("rsa-sha2-256", "user01_rsa_sha2_256_2048"), new TestParams("rsa-sha2-512", "user01_rsa_sha2_512_2048"), new TestParams("rsa-sha2-256", "user01_rsa_sha2_256_4096"), new TestParams("rsa-sha2-512", "user01_rsa_sha2_512_4096"), new TestParams("rsa-sha2-512", "user01_ed25519"), new TestParams("rsa-sha2-512", "user01_ecdsa_256"), new TestParams("rsa-sha2-512", "user01_ecdsa_384"), new TestParams("rsa-sha2-512", "user01_ecdsa_521"));
    }

    private String getCertificateResource() {
        return USER_KEY_PATH + this.params.privateKey + "-cert.pub";
    }

    @Test
    public void testParseCertificate() throws Exception {
        InputStream resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(getCertificateResource());
        try {
            PublicKey resolvePublicKey = PublicKeyEntry.parsePublicKeyEntry(GenericUtils.replaceWhitespaceAndTrim(new String(IoUtils.toByteArray(resourceAsStream), StandardCharsets.UTF_8))).resolvePublicKey((SessionContext) null, (Map) null, (PublicKeyEntryResolver) null);
            assertObjectInstanceOf("Must be OpenSshCertificate instance", OpenSshCertificate.class, resolvePublicKey);
            OpenSshCertificate openSshCertificate = (OpenSshCertificate) resolvePublicKey;
            assertEquals(Collections.singletonList("user01"), openSshCertificate.getPrincipals());
            assertEquals(OpenSshCertificate.Type.USER, openSshCertificate.getType());
            assertNotNull(openSshCertificate.getKeyType());
            assertEquals(0L, openSshCertificate.getSerial());
            assertEquals("user01", openSshCertificate.getId());
            assertEquals(0L, openSshCertificate.getValidAfter());
            assertEquals(-1L, openSshCertificate.getValidBefore());
            assertTrue(openSshCertificate.getCriticalOptions().isEmpty());
            assertEquals(Arrays.asList(new OpenSshCertificate.CertificateOption("permit-X11-forwarding"), new OpenSshCertificate.CertificateOption("permit-agent-forwarding"), new OpenSshCertificate.CertificateOption("permit-port-forwarding"), new OpenSshCertificate.CertificateOption("permit-pty"), new OpenSshCertificate.CertificateOption("permit-user-rc")), openSshCertificate.getExtensions());
            assertEquals(this.params.sigAlgorithm, openSshCertificate.getSignatureAlgorithm());
            verifySignature(openSshCertificate);
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void verifySignature(OpenSshCertificate openSshCertificate) throws Exception {
        PublicKey caPubKey = openSshCertificate.getCaPubKey();
        String keyType = KeyUtils.getKeyType(caPubKey);
        String signatureAlgorithm = openSshCertificate.getSignatureAlgorithm();
        assertTrue("Invalid signature algorithm " + signatureAlgorithm + " for key " + keyType, KeyUtils.getAllEquivalentKeyTypes(keyType).contains(signatureAlgorithm));
        Signature signature = (Signature) NamedFactory.create(BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE, signatureAlgorithm);
        signature.initVerifier((SessionContext) null, caPubKey);
        signature.update((SessionContext) null, openSshCertificate.getMessage());
        assertTrue("Signature should validate", signature.verify((SessionContext) null, openSshCertificate.getSignature()));
    }
}
