package org.apache.wss4j.common.crypto;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Properties;
import java.util.regex.Pattern;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.Loader;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.Is;
import org.hamcrest.core.IsEqual;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/wss4j/common/crypto/NameConstraintsTest.class */
public class NameConstraintsTest {
    private static final String KEY_ROOT = "keys/nameconstraints/";
    private static final String SELF_SIGNED = "keys/nameconstraints/self_signed.p12";
    private static final String ROOT_SIGNED = "keys/nameconstraints/root_signed.p12";
    private static final String INTERMEDIATE_SIGNED = "keys/nameconstraints/intermediate_signed.p12";
    private static final String KEYSTORE = "keys/nameconstraints/nameconstraints.jks";
    private static final char[] PASSWORD = "changeit".toCharArray();
    private static final Pattern SUBJ_PATTERN = Pattern.compile(".*OU=wss4j,O=apache");
    private boolean isIBMJdK = System.getProperty("java.vendor").contains("IBM");

    @BeforeEach
    public void setup() throws Exception {
        WSProviderConfig.init();
    }

    private KeyStore getRootKeyStore() throws Exception {
        ClassLoader classLoader = Loader.getClassLoader(NameConstraintsTest.class);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream loadInputStream = Merlin.loadInputStream(classLoader, KEYSTORE);
        Throwable th = null;
        try {
            try {
                keyStore.load(loadInputStream, PASSWORD);
                if (loadInputStream != null) {
                    $closeResource(null, loadInputStream);
                }
                return keyStore;
            } finally {
            }
        } catch (Throwable th2) {
            if (loadInputStream != null) {
                $closeResource(th, loadInputStream);
            }
            throw th2;
        }
    }

    private KeyStore getSelfKeyStore() throws Exception {
        ClassLoader classLoader = Loader.getClassLoader(NameConstraintsTest.class);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream resourceAsStream = classLoader.getResourceAsStream(SELF_SIGNED);
        Throwable th = null;
        try {
            try {
                keyStore.load(resourceAsStream, PASSWORD);
                if (resourceAsStream != null) {
                    $closeResource(null, resourceAsStream);
                }
                return keyStore;
            } finally {
            }
        } catch (Throwable th2) {
            if (resourceAsStream != null) {
                $closeResource(th, resourceAsStream);
            }
            throw th2;
        }
    }

    private X509Certificate[] getTestCertificateChain(String str) throws Exception {
        ClassLoader classLoader = Loader.getClassLoader(NameConstraintsTest.class);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream resourceAsStream = classLoader.getResourceAsStream(str);
        Throwable th = null;
        try {
            try {
                keyStore.load(resourceAsStream, PASSWORD);
                Certificate[] certificateChain = keyStore.getCertificateChain(keyStore.aliases().nextElement());
                Assertions.assertNotNull(certificateChain);
                X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
                System.arraycopy(certificateChain, 0, x509CertificateArr, 0, certificateChain.length);
                if (resourceAsStream != null) {
                    $closeResource(null, resourceAsStream);
                }
                return x509CertificateArr;
            } finally {
            }
        } catch (Throwable th2) {
            if (resourceAsStream != null) {
                $closeResource(th, resourceAsStream);
            }
            throw th2;
        }
    }

    @Test
    public void testNameConstraints() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        Merlin merlin = new Merlin();
        X509Certificate[] testCertificateChain = getTestCertificateChain(INTERMEDIATE_SIGNED);
        Assertions.assertNull(merlin.getNameConstraints(testCertificateChain[0]));
        Assertions.assertNull(merlin.getNameConstraints(testCertificateChain[1]));
        byte[] nameConstraints = merlin.getNameConstraints(testCertificateChain[2]);
        Assertions.assertNotNull(nameConstraints);
        MatcherAssert.assertThat("Tag byte is wrong", Byte.valueOf(nameConstraints[0]), Is.is((byte) 48));
        MatcherAssert.assertThat("TrustAnchor constraints wrong", new TrustAnchor(testCertificateChain[2], nameConstraints).getNameConstraints(), IsEqual.equalTo(nameConstraints));
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlin() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withKeyStoreUsingMerlin(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), new Merlin());
        withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), new Merlin());
        withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), new Merlin());
    }

    @Test
    public void testNameConstraintsWithTrustStoreUsingMerlin() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withTrustStoreUsingMerlin(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), new Merlin());
        withTrustStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), new Merlin());
        withTrustStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), new Merlin());
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlinAki() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withKeyStoreUsingMerlinAKI(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), new MerlinAKI());
        withKeyStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), new MerlinAKI());
        withKeyStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), new MerlinAKI());
    }

    @Test
    public void testNameConstraintsWithTrustStoreUsingMerlinAki() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withTrustStoreUsingMerlinAKI(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), new MerlinAKI());
        withTrustStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), new MerlinAKI());
        withTrustStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), new MerlinAKI());
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlinBc() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withKeyStoreUsingMerlin(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), getMerlinBc());
        withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), getMerlinBc());
        withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), getMerlinBc());
    }

    @Test
    public void testNameConstraintsWithTrustStoreUsingMerlinBc() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withTrustStoreUsingMerlin(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), getMerlinBc());
        withTrustStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), getMerlinBc());
        withTrustStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), getMerlinBc());
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlinAkiBc() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withKeyStoreUsingMerlinAKI(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), getMerlinAkiBc());
        withKeyStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), getMerlinAkiBc());
        withKeyStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), getMerlinAkiBc());
    }

    @Test
    public void testNameConstraintsWithTrustStoreUsingMerlinAkiBc() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        withTrustStoreUsingMerlinAKI(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED), getMerlinAkiBc());
        withTrustStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), getMerlinAkiBc());
        withTrustStoreUsingMerlinAKI(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED), getMerlinAkiBc());
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlinBreaking() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        Properties properties = new Properties();
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider.nameconstraints", "true");
        Merlin merlin = new Merlin(properties, getClass().getClassLoader(), (PasswordEncryptor) null);
        Assertions.assertThrows(Exception.class, () -> {
            withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), merlin);
        });
    }

    @Test
    public void testNameConstraintsWithKeyStoreUsingMerlinAkiBreaking() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        Properties properties = new Properties();
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider.nameconstraints", "true");
        MerlinAKI merlinAKI = new MerlinAKI(properties, getClass().getClassLoader(), (PasswordEncryptor) null);
        Assertions.assertThrows(Exception.class, () -> {
            withKeyStoreUsingMerlin(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED), merlinAKI);
        });
    }

    @Test
    public void testNameConstraintsUsingCertificateStore() throws Exception {
        Assumptions.assumeFalse(this.isIBMJdK);
        usingCertificateStore(getSelfKeyStore(), getTestCertificateChain(SELF_SIGNED));
        usingCertificateStore(getRootKeyStore(), getTestCertificateChain(ROOT_SIGNED));
        usingCertificateStore(getRootKeyStore(), getTestCertificateChain(INTERMEDIATE_SIGNED));
    }

    private void withKeyStoreUsingMerlin(KeyStore keyStore, X509Certificate[] x509CertificateArr, Merlin merlin) throws Exception {
        merlin.setKeyStore(keyStore);
        merlin.verifyTrust(x509CertificateArr, false, Collections.singletonList(SUBJ_PATTERN));
    }

    private void withTrustStoreUsingMerlin(KeyStore keyStore, X509Certificate[] x509CertificateArr, Merlin merlin) throws Exception {
        merlin.setTrustStore(keyStore);
        merlin.verifyTrust(x509CertificateArr, false, Collections.singletonList(SUBJ_PATTERN));
    }

    private void withKeyStoreUsingMerlinAKI(KeyStore keyStore, X509Certificate[] x509CertificateArr, MerlinAKI merlinAKI) throws Exception {
        merlinAKI.setKeyStore(keyStore);
        merlinAKI.verifyTrust(x509CertificateArr, false, Collections.singletonList(SUBJ_PATTERN));
    }

    private void withTrustStoreUsingMerlinAKI(KeyStore keyStore, X509Certificate[] x509CertificateArr, MerlinAKI merlinAKI) throws Exception {
        merlinAKI.setTrustStore(keyStore);
        merlinAKI.verifyTrust(x509CertificateArr, false, Collections.singletonList(SUBJ_PATTERN));
    }

    private void usingCertificateStore(KeyStore keyStore, X509Certificate[] x509CertificateArr) throws Exception {
        Enumeration<String> aliases = keyStore.aliases();
        ArrayList arrayList = new ArrayList();
        while (aliases.hasMoreElements()) {
            arrayList.add((X509Certificate) keyStore.getCertificate(aliases.nextElement()));
        }
        new CertificateStore((X509Certificate[]) arrayList.toArray(new X509Certificate[0])).verifyTrust(x509CertificateArr, false, Collections.singletonList(SUBJ_PATTERN));
    }

    private Merlin getMerlinBc() throws WSSecurityException, IOException {
        Security.addProvider(new BouncyCastleProvider());
        Properties properties = new Properties();
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider", "BC");
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider.nameconstraints", "true");
        return new Merlin(properties, getClass().getClassLoader(), (PasswordEncryptor) null);
    }

    private MerlinAKI getMerlinAkiBc() throws WSSecurityException, IOException {
        Security.addProvider(new BouncyCastleProvider());
        Properties properties = new Properties();
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider", "BC");
        properties.setProperty("org.apache.wss4j.crypto.merlin.cert.provider.nameconstraints", "true");
        return new MerlinAKI(properties, getClass().getClassLoader(), (PasswordEncryptor) null);
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
