package net.ripe.rpki.commons.crypto.cms.manifest;

import java.math.BigInteger;
import java.net.URI;
import java.security.KeyPair;
import java.util.EnumSet;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms;
import net.ripe.rpki.commons.crypto.crl.CrlLocator;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder;
import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateTest;
import net.ripe.rpki.commons.validation.ValidationCheck;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationStatus;
import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext;
import org.easymock.EasyMock;
import org.easymock.IAnswer;
import org.joda.time.DateTime;
import org.joda.time.DateTimeUtils;
import org.joda.time.DateTimeZone;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/manifest/ManifestCmsTest.class */
public class ManifestCmsTest {
    private CrlLocator crlLocator;
    private ManifestCms subject;
    private X509ResourceCertificate rootCertificate;
    private static final URI ROOT_CERTIFICATE_LOCATION = URI.create("rsync://foo.host/bar/bar.cer");
    private static final URI ROOT_SIA_MANIFEST_RSYNC_LOCATION = URI.create("rsync://foo.host/bar/manifest.mft");
    private static final URI ROOT_MANIFEST_CRL_LOCATION = URI.create("rsync://foo.host/bar/bar.crl");
    private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
    private static final KeyPair ROOT_KEY_PAIR = KeyPairFactoryTest.TEST_KEY_PAIR;
    public static final KeyPair MANIFEST_KEY_PAIR = KeyPairFactoryTest.SECOND_TEST_KEY_PAIR;
    private static final X500Principal MANIFEST_DN = new X500Principal("CN=manifest");
    private static byte[] FOO_CONTENTS = {97, 98, 99};
    private static byte[] BAR_CONTENTS = {100, 101, 102};
    private static final DateTime THIS_UPDATE_TIME = new DateTime(2008, 9, 1, 22, 43, 29, 0, DateTimeZone.UTC);
    private static final DateTime NEXT_UPDATE_TIME = new DateTime(2008, 9, 2, 6, 43, 29, 0, DateTimeZone.UTC);
    private static final ValidationOptions VALIDATION_OPTIONS = new ValidationOptions();

    public static ManifestCms getRootManifestCms() {
        ManifestCmsBuilder rootManifestBuilder = getRootManifestBuilder();
        rootManifestBuilder.addFile("foo1", FOO_CONTENTS);
        rootManifestBuilder.addFile("BaR", BAR_CONTENTS);
        return rootManifestBuilder.build(MANIFEST_KEY_PAIR.getPrivate());
    }

    @Before
    public void setUp() {
        DateTimeUtils.setCurrentMillisFixed(THIS_UPDATE_TIME.getMillis());
        this.rootCertificate = getRootResourceCertificate();
        this.crlLocator = (CrlLocator) EasyMock.createMock(CrlLocator.class);
        this.subject = getRootManifestCms();
    }

    @After
    public void tearDown() {
        DateTimeUtils.setCurrentMillisSystem();
    }

    @Test
    public void shouldVerifySignature() {
        Assert.assertTrue(this.subject.signedBy(this.subject.getCertificate()));
    }

    @Test
    public void shouldVerifyFileContents() {
        Assert.assertTrue(this.subject.verifyFileContents("foo1", FOO_CONTENTS));
        Assert.assertFalse(this.subject.verifyFileContents("BaR", FOO_CONTENTS));
        ManifestCms.FileContentSpecification fileContentSpecification = this.subject.getFileContentSpecification("BaR");
        Assert.assertTrue(fileContentSpecification.isSatisfiedBy(BAR_CONTENTS));
        Assert.assertFalse(fileContentSpecification.isSatisfiedBy(FOO_CONTENTS));
    }

    @Test
    public void shouldValidateManifestCms() {
        X509Crl rootCrl = getRootCrl();
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, this.rootCertificate, this.rootCertificate.getResources());
        ValidationResult validationResult = new ValidationResult();
        EasyMock.expect(this.crlLocator.getCrl(ROOT_MANIFEST_CRL_LOCATION, certificateRepositoryObjectValidationContext, validationResult)).andReturn(rootCrl);
        EasyMock.replay(new Object[]{this.crlLocator});
        this.subject.validate(ROOT_SIA_MANIFEST_RSYNC_LOCATION.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, VALIDATION_OPTIONS, validationResult);
        EasyMock.verify(new Object[]{this.crlLocator});
        Assert.assertEquals(0L, validationResult.getFailuresForCurrentLocation().size());
        Assert.assertFalse(validationResult.hasFailures());
    }

    @Test
    public void shouldNotValidateWithInvalidCrl() {
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, this.rootCertificate, this.rootCertificate.getResources());
        final ValidationResult validationResult = new ValidationResult();
        validationResult.setLocation(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION));
        final ValidationLocation validationLocation = new ValidationLocation(ROOT_MANIFEST_CRL_LOCATION);
        EasyMock.expect(this.crlLocator.getCrl(ROOT_MANIFEST_CRL_LOCATION, certificateRepositoryObjectValidationContext, validationResult)).andAnswer(new IAnswer<X509Crl>() { // from class: net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsTest.1
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public X509Crl m2answer() throws Throwable {
                Assert.assertEquals(validationLocation, validationResult.getCurrentLocation());
                validationResult.rejectIfFalse(false, "cert.crl.signature", new String[0]);
                return null;
            }
        });
        EasyMock.replay(new Object[]{this.crlLocator});
        this.subject.validate(ROOT_SIA_MANIFEST_RSYNC_LOCATION.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, VALIDATION_OPTIONS, validationResult);
        EasyMock.verify(new Object[]{this.crlLocator});
        Assert.assertTrue(validationResult.hasFailureForCurrentLocation());
        Assert.assertEquals(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION), validationResult.getCurrentLocation());
        Assert.assertTrue(validationResult.hasFailureForLocation(validationLocation));
        Assert.assertTrue(validationResult.getAllValidationChecksForLocation(new ValidationLocation(ROOT_MANIFEST_CRL_LOCATION)).contains(new ValidationCheck(ValidationStatus.ERROR, "cert.crl.signature", new String[0])));
    }

    @Test
    public void shouldWarnWhenManifestIsStale() {
        X509Crl rootCrl = getRootCrl();
        DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.plusDays(1).getMillis());
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, this.rootCertificate, this.rootCertificate.getResources());
        ValidationOptions validationOptions = new ValidationOptions();
        validationOptions.setMaxStaleDays(Integer.MAX_VALUE);
        ValidationResult validationResult = new ValidationResult();
        EasyMock.expect(this.crlLocator.getCrl(ROOT_MANIFEST_CRL_LOCATION, certificateRepositoryObjectValidationContext, validationResult)).andReturn(rootCrl);
        EasyMock.replay(new Object[]{this.crlLocator});
        this.subject.validate(ROOT_SIA_MANIFEST_RSYNC_LOCATION.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, validationOptions, validationResult);
        EasyMock.verify(new Object[]{this.crlLocator});
        Assert.assertFalse(validationResult.hasFailures());
        Assert.assertEquals(0L, validationResult.getFailuresForCurrentLocation().size());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.WARNING, "cert.not.valid.after", new String[]{NEXT_UPDATE_TIME.toString()}), validationResult.getResult(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION), "cert.not.valid.after"));
    }

    @Test
    public void shouldRejectWhenManifestIsTooStale() {
        X509Crl rootCrl = getRootCrl();
        DateTimeUtils.setCurrentMillisFixed(NEXT_UPDATE_TIME.plusDays(1).getMillis());
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, this.rootCertificate, this.rootCertificate.getResources());
        ValidationOptions validationOptions = new ValidationOptions();
        validationOptions.setMaxStaleDays(0);
        ValidationResult validationResult = new ValidationResult();
        EasyMock.expect(this.crlLocator.getCrl(ROOT_MANIFEST_CRL_LOCATION, certificateRepositoryObjectValidationContext, validationResult)).andReturn(rootCrl);
        EasyMock.replay(new Object[]{this.crlLocator});
        this.subject.validate(ROOT_SIA_MANIFEST_RSYNC_LOCATION.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, validationOptions, validationResult);
        EasyMock.verify(new Object[]{this.crlLocator});
        Assert.assertTrue(validationResult.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "cert.not.valid.after", new String[]{NEXT_UPDATE_TIME.toString()}), validationResult.getResult(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION), "cert.not.valid.after"));
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "mf.past.next.update", new String[0]), validationResult.getResult(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION), "mf.past.next.update"));
    }

    @Test
    public void shouldWarnAboutInconsistentValidityTimes() {
        ManifestCms manifestWithInconsistentValidityTimes = getManifestWithInconsistentValidityTimes();
        X509Crl rootCrl = getRootCrl();
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(ROOT_CERTIFICATE_LOCATION, this.rootCertificate, this.rootCertificate.getResources());
        ValidationResult validationResult = new ValidationResult();
        validationResult.setLocation(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION));
        EasyMock.expect(this.crlLocator.getCrl(ROOT_MANIFEST_CRL_LOCATION, certificateRepositoryObjectValidationContext, validationResult)).andReturn(rootCrl);
        EasyMock.replay(new Object[]{this.crlLocator});
        manifestWithInconsistentValidityTimes.validate(ROOT_SIA_MANIFEST_RSYNC_LOCATION.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, VALIDATION_OPTIONS, validationResult);
        EasyMock.verify(new Object[]{this.crlLocator});
        Assert.assertEquals(0L, validationResult.getFailuresForCurrentLocation().size());
        Assert.assertFalse(validationResult.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.WARNING, "mf.validity.inconsistent", new String[0]), validationResult.getResult(new ValidationLocation(ROOT_SIA_MANIFEST_RSYNC_LOCATION), "mf.validity.inconsistent"));
    }

    private X509Crl getRootCrl() {
        return getRootCrlBuilder().build(ROOT_KEY_PAIR.getPrivate());
    }

    private X509ResourceCertificate getRootResourceCertificate() {
        X509ResourceCertificateBuilder createSelfSignedCaResourceCertificateBuilder = X509ResourceCertificateTest.createSelfSignedCaResourceCertificateBuilder();
        createSelfSignedCaResourceCertificateBuilder.withResources(ROOT_RESOURCE_SET);
        createSelfSignedCaResourceCertificateBuilder.withPublicKey(ROOT_KEY_PAIR.getPublic());
        createSelfSignedCaResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        createSelfSignedCaResourceCertificateBuilder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor[]{new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, ROOT_SIA_MANIFEST_RSYNC_LOCATION)});
        createSelfSignedCaResourceCertificateBuilder.withCrlDistributionPoints(new URI[]{ROOT_MANIFEST_CRL_LOCATION});
        return createSelfSignedCaResourceCertificateBuilder.build();
    }

    private X509CrlBuilder getRootCrlBuilder() {
        X509CrlBuilder x509CrlBuilder = new X509CrlBuilder();
        x509CrlBuilder.withIssuerDN(X509ResourceCertificateTest.TEST_SELF_SIGNED_CERTIFICATE_NAME);
        x509CrlBuilder.withThisUpdateTime(new DateTime());
        x509CrlBuilder.withNextUpdateTime(new DateTime().plusHours(8));
        x509CrlBuilder.withNumber(BigInteger.TEN);
        x509CrlBuilder.withAuthorityKeyIdentifier(ROOT_KEY_PAIR.getPublic());
        x509CrlBuilder.withSignatureProvider("SunRsaSign");
        return x509CrlBuilder;
    }

    private static ManifestCms getManifestWithInconsistentValidityTimes() {
        ManifestCmsBuilder rootManifestBuilder = getRootManifestBuilder();
        rootManifestBuilder.withCertificate(getManifestEEResourceCertificateBuilder(new ValidityPeriod(THIS_UPDATE_TIME, NEXT_UPDATE_TIME.plusDays(1))).build());
        return rootManifestBuilder.build(MANIFEST_KEY_PAIR.getPrivate());
    }

    public static ManifestCmsBuilder getRootManifestBuilder() {
        return getRootManifestBuilder(new ValidityPeriod(THIS_UPDATE_TIME, NEXT_UPDATE_TIME));
    }

    public static ManifestCmsBuilder getRootManifestBuilder(ValidityPeriod validityPeriod) {
        ManifestCmsBuilder manifestCmsBuilder = new ManifestCmsBuilder();
        manifestCmsBuilder.withCertificate(getManifestEEResourceCertificateBuilder(validityPeriod).build());
        manifestCmsBuilder.withManifestNumber(BigInteger.valueOf(68L));
        manifestCmsBuilder.withThisUpdateTime(validityPeriod.getNotValidBefore()).withNextUpdateTime(validityPeriod.getNotValidAfter());
        manifestCmsBuilder.withSignatureProvider("SunRsaSign");
        return manifestCmsBuilder;
    }

    private static X509ResourceCertificateBuilder getManifestEEResourceCertificateBuilder(ValidityPeriod validityPeriod) {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withCa(false);
        x509ResourceCertificateBuilder.withKeyUsage(128);
        x509ResourceCertificateBuilder.withSubjectDN(MANIFEST_DN);
        x509ResourceCertificateBuilder.withIssuerDN(X509ResourceCertificateTest.TEST_SELF_SIGNED_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(BigInteger.ONE);
        x509ResourceCertificateBuilder.withPublicKey(MANIFEST_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        x509ResourceCertificateBuilder.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
        x509ResourceCertificateBuilder.withValidityPeriod(validityPeriod);
        x509ResourceCertificateBuilder.withCrlDistributionPoints(new URI[]{ROOT_MANIFEST_CRL_LOCATION});
        return x509ResourceCertificateBuilder;
    }
}
