package org.apache.sshd.certificates;

import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import org.apache.sshd.certificate.OpenSshCertificateBuilder;
import org.apache.sshd.common.BaseBuilder;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.config.keys.KeyUtils;
import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.config.keys.PublicKeyEntry;
import org.apache.sshd.common.config.keys.PublicKeyEntryResolver;
import org.apache.sshd.common.config.keys.writer.openssh.OpenSSHKeyPairResourceWriter;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.io.IoUtils;
import org.apache.sshd.util.test.BaseTestSupport;
import org.apache.sshd.util.test.CommonTestSupportUtils;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest.class */
public class GenerateOpenSSHClientCertificateTest extends BaseTestSupport {
    private TestParams params;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sshd/certificates/GenerateOpenSSHClientCertificateTest$TestParams.class */
    public static class TestParams {
        final String caPrivateKey;
        final String privateKey;

        TestParams(String str, String str2) {
            this.caPrivateKey = str;
            this.privateKey = str2;
        }

        public String toString() {
            return "TestParams{caPrivateKey='" + this.caPrivateKey + "', privateKey='" + this.privateKey + "'}";
        }
    }

    public GenerateOpenSSHClientCertificateTest(TestParams testParams) {
        this.params = testParams;
    }

    @Parameterized.Parameters(name = "{0}")
    public static Iterable<? extends TestParams> privateKeyParams() {
        return Arrays.asList(new TestParams("ca_rsa2_256", "user01_rsa_sha2_256_4096"), new TestParams("ca_rsa2_256", "user01_rsa_sha2_512_4096"), new TestParams("ca_rsa2_256", "user01_ed25519"), new TestParams("ca_rsa2_256", "user01_ecdsa_256"), new TestParams("ca_rsa2_256", "user01_ecdsa_384"), new TestParams("ca_rsa2_256", "user01_ecdsa_521"), new TestParams("ca_rsa2_512", "user01_rsa_sha2_256_4096"), new TestParams("ca_rsa2_512", "user01_rsa_sha2_512_4096"), new TestParams("ca_rsa2_512", "user01_ed25519"), new TestParams("ca_rsa2_512", "user01_ecdsa_256"), new TestParams("ca_rsa2_512", "user01_ecdsa_384"), new TestParams("ca_rsa2_512", "user01_ecdsa_521"), new TestParams("ca_ed25519", "user01_rsa_sha2_256_4096"), new TestParams("ca_ed25519", "user01_rsa_sha2_512_4096"), new TestParams("ca_ed25519", "user01_ed25519"), new TestParams("ca_ed25519", "user01_ecdsa_256"), new TestParams("ca_ed25519", "user01_ecdsa_384"), new TestParams("ca_ed25519", "user01_ecdsa_521"), new TestParams("ca_ecdsa_256", "user01_rsa_sha2_256_4096"), new TestParams("ca_ecdsa_256", "user01_rsa_sha2_512_4096"), new TestParams("ca_ecdsa_256", "user01_ed25519"), new TestParams("ca_ecdsa_256", "user01_ecdsa_256"), new TestParams("ca_ecdsa_256", "user01_ecdsa_384"), new TestParams("ca_ecdsa_256", "user01_ecdsa_521"), new TestParams("ca_ecdsa_384", "user01_rsa_sha2_256_4096"), new TestParams("ca_ecdsa_384", "user01_rsa_sha2_512_4096"), new TestParams("ca_ecdsa_384", "user01_ed25519"), new TestParams("ca_ecdsa_384", "user01_ecdsa_256"), new TestParams("ca_ecdsa_384", "user01_ecdsa_384"), new TestParams("ca_ecdsa_384", "user01_ecdsa_521"), new TestParams("ca_ecdsa_521", "user01_rsa_sha2_256_4096"), new TestParams("ca_ecdsa_521", "user01_rsa_sha2_512_4096"), new TestParams("ca_ecdsa_521", "user01_ed25519"), new TestParams("ca_ecdsa_521", "user01_ecdsa_256"), new TestParams("ca_ecdsa_521", "user01_ecdsa_384"), new TestParams("ca_ecdsa_521", "user01_ecdsa_521"));
    }

    protected String getCAPrivateKeyResource() {
        return "org/apache/sshd/client/opensshcerts/ca/" + this.params.caPrivateKey;
    }

    protected String getCAPublicKeyResource() {
        return getCAPrivateKeyResource() + ".pub";
    }

    protected String getClientPrivateKeyResource() {
        return "org/apache/sshd/client/opensshcerts/user/" + this.params.privateKey;
    }

    protected String getClientPublicKeyResource() {
        return getClientPrivateKeyResource() + ".pub";
    }

    protected String getOracle() {
        return getClientPrivateKeyResource() + "-cert.pub";
    }

    protected PublicKey readPublicKeyFromResource(String str) throws Exception {
        InputStream resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
        Throwable th = null;
        try {
            try {
                PublicKey resolvePublicKey = PublicKeyEntry.parsePublicKeyEntry(GenericUtils.replaceWhitespaceAndTrim(new String(IoUtils.toByteArray(resourceAsStream), StandardCharsets.UTF_8))).resolvePublicKey((SessionContext) null, (Map) null, (PublicKeyEntryResolver) null);
                if (resourceAsStream != null) {
                    if (0 != 0) {
                        try {
                            resourceAsStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        resourceAsStream.close();
                    }
                }
                return resolvePublicKey;
            } finally {
            }
        } catch (Throwable th3) {
            if (resourceAsStream != null) {
                if (th != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            throw th3;
        }
    }

    protected OpenSshCertificate readOpenSshCertificate(String str) throws Exception {
        OpenSshCertificate resolvePublicKey = PublicKeyEntry.parsePublicKeyEntry(GenericUtils.replaceWhitespaceAndTrim(str)).resolvePublicKey((SessionContext) null, (Map) null, (PublicKeyEntryResolver) null);
        if (!(resolvePublicKey instanceof OpenSshCertificate)) {
            fail("Failed to decode a OpenSshCertificate from string data expected to be an OpenSSH Certificate");
        }
        return resolvePublicKey;
    }

    @Test
    public void signCertificate() throws Exception {
        PublicKey readPublicKeyFromResource = readPublicKeyFromResource(getClientPublicKeyResource());
        String cAPrivateKeyResource = getCAPrivateKeyResource();
        KeyPair keyPair = (KeyPair) CommonTestSupportUtils.createTestKeyPairProvider(cAPrivateKeyResource).loadKeys((SessionContext) null).iterator().next();
        String str = null;
        int indexOf = cAPrivateKeyResource.indexOf("rsa2_");
        if (indexOf > 0) {
            str = "rsa-sha2-" + cAPrivateKeyResource.substring(indexOf + 5);
        }
        OpenSshCertificate sign = OpenSshCertificateBuilder.userCertificate().serial(0L).publicKey(readPublicKeyFromResource).id("user01").principals(Collections.singletonList("user01")).extensions(Arrays.asList(new OpenSshCertificate.CertificateOption("permit-X11-forwarding"), new OpenSshCertificate.CertificateOption("permit-agent-forwarding"), new OpenSshCertificate.CertificateOption("permit-port-forwarding"), new OpenSshCertificate.CertificateOption("permit-pty"), new OpenSshCertificate.CertificateOption("permit-user-rc"))).sign(keyPair, str);
        OpenSSHKeyPairResourceWriter openSSHKeyPairResourceWriter = new OpenSSHKeyPairResourceWriter();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        openSSHKeyPairResourceWriter.writePublicKey(sign, "user01", byteArrayOutputStream);
        OpenSshCertificate readOpenSshCertificate = readOpenSshCertificate(new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8));
        verifySignature(sign, str);
        verifySignature(readOpenSshCertificate, str);
        assertCertsEqual(sign, readOpenSshCertificate);
    }

    private void verifySignature(OpenSshCertificate openSshCertificate, String str) throws Exception {
        PublicKey caPubKey = openSshCertificate.getCaPubKey();
        String keyType = KeyUtils.getKeyType(caPubKey);
        String signatureAlgorithm = openSshCertificate.getSignatureAlgorithm();
        assertTrue("Invalid signature algorithm " + signatureAlgorithm + " for key " + keyType, KeyUtils.getAllEquivalentKeyTypes(keyType).contains(signatureAlgorithm));
        if (str != null) {
            assertEquals("Unexpected signature algorithm", str, signatureAlgorithm);
        }
        Signature signature = (Signature) NamedFactory.create(BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE, signatureAlgorithm);
        signature.initVerifier((SessionContext) null, caPubKey);
        signature.update((SessionContext) null, openSshCertificate.getMessage());
        assertTrue("Signature should validate", signature.verify((SessionContext) null, openSshCertificate.getSignature()));
    }

    private static void assertCertsEqual(OpenSshCertificate openSshCertificate, OpenSshCertificate openSshCertificate2) {
        assertEquals(openSshCertificate.getSerial(), openSshCertificate2.getSerial());
        assertEquals(openSshCertificate.getType(), openSshCertificate2.getType());
        assertEquals(openSshCertificate.getKeyType(), openSshCertificate2.getKeyType());
        assertArrayEquals(openSshCertificate.getNonce(), openSshCertificate2.getNonce());
        assertEquals(openSshCertificate.getCertPubKey(), openSshCertificate2.getCertPubKey());
        assertEquals(openSshCertificate.getId(), openSshCertificate2.getId());
        assertEquals(openSshCertificate.getPrincipals(), openSshCertificate2.getPrincipals());
        assertEquals(openSshCertificate.getValidAfter(), openSshCertificate2.getValidAfter());
        assertEquals(openSshCertificate.getValidBefore(), openSshCertificate2.getValidBefore());
        assertEquals(openSshCertificate.getCriticalOptions(), openSshCertificate2.getCriticalOptions());
        assertEquals(openSshCertificate.getExtensions(), openSshCertificate2.getExtensions());
        assertEquals(openSshCertificate.getReserved(), openSshCertificate2.getReserved());
        assertEquals(openSshCertificate.getCaPubKey(), openSshCertificate2.getCaPubKey());
        assertEquals(openSshCertificate.getSignatureAlgorithm(), openSshCertificate2.getSignatureAlgorithm());
        assertArrayEquals(openSshCertificate.getSignature(), openSshCertificate2.getSignature());
        assertArrayEquals(openSshCertificate.getMessage(), openSshCertificate2.getMessage());
    }
}
