package net.ripe.rpki.commons.crypto.cms.roa;

import java.math.BigInteger;
import java.net.URI;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResource;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.CrlLocator;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.crl.X509CrlTest;
import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext;
import org.joda.time.DateTime;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/cms/roa/RoaCmsTest.class */
public class RoaCmsTest {
    public static final X500Principal TEST_DN = new X500Principal("CN=issuer");
    public static final KeyPair TEST_KEY_PAIR = KeyPairFactoryTest.TEST_KEY_PAIR;
    public static final URI TEST_ROA_LOCATION = URI.create("rsync://certificate/repository/filename.roa");
    private static final URI CRL_DP = URI.create("rsync://certificate/repository/filename.crl");
    public static final BigInteger ROA_CERT_SERIAL = BigInteger.TEN;
    private List<RoaPrefix> ipv4Prefixes;
    private List<RoaPrefix> allPrefixes;
    private IpResourceSet allResources;
    private RoaCms subject;

    @Before
    public void setUp() {
        this.ipv4Prefixes = new ArrayList();
        this.ipv4Prefixes.add(RoaCmsParserTest.TEST_IPV4_PREFIX_1);
        this.ipv4Prefixes.add(RoaCmsParserTest.TEST_IPV4_PREFIX_2);
        this.allPrefixes = new ArrayList(this.ipv4Prefixes);
        this.allPrefixes.add(RoaCmsParserTest.TEST_IPV6_PREFIX);
        this.allResources = new IpResourceSet();
        Iterator<RoaPrefix> it = this.allPrefixes.iterator();
        while (it.hasNext()) {
            this.allResources.add(it.next().getPrefix());
        }
        this.subject = createRoaCms(this.allPrefixes);
    }

    public static RoaCms createRoaCms(List<RoaPrefix> list) {
        RoaCmsBuilder roaCmsBuilder = new RoaCmsBuilder();
        roaCmsBuilder.withCertificate(createCertificate(list)).withAsn(RoaCmsParserTest.TEST_ASN);
        roaCmsBuilder.withPrefixes(list);
        roaCmsBuilder.withSignatureProvider("SunRsaSign");
        return roaCmsBuilder.build(TEST_KEY_PAIR.getPrivate());
    }

    public static RoaCms getRoaCms() {
        RoaCmsTest roaCmsTest = new RoaCmsTest();
        roaCmsTest.setUp();
        return roaCmsTest.subject;
    }

    public static X509ResourceCertificate createCertificate(List<RoaPrefix> list) {
        IpResourceSet ipResourceSet = new IpResourceSet();
        Iterator<RoaPrefix> it = list.iterator();
        while (it.hasNext()) {
            ipResourceSet.add(it.next().getPrefix());
        }
        return createCertificateBuilder(ipResourceSet).build();
    }

    private static X509ResourceCertificateBuilder createCertificateBuilder(IpResourceSet ipResourceSet) {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withCa(false).withIssuerDN(TEST_DN).withSubjectDN(TEST_DN).withSerial(ROA_CERT_SERIAL);
        x509ResourceCertificateBuilder.withPublicKey(TEST_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withSigningKeyPair(TEST_KEY_PAIR);
        DateTime dateTime = UTC.dateTime();
        x509ResourceCertificateBuilder.withValidityPeriod(new ValidityPeriod(dateTime.minusMinutes(1), dateTime.plusYears(1)));
        x509ResourceCertificateBuilder.withResources(ipResourceSet);
        x509ResourceCertificateBuilder.withCrlDistributionPoints(new URI[]{CRL_DP});
        x509ResourceCertificateBuilder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor[]{new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_SIGNED_OBJECT, TEST_ROA_LOCATION)});
        return x509ResourceCertificateBuilder;
    }

    @Test
    public void shouldGenerateRoaCms() {
        Assert.assertEquals(RoaCmsParserTest.TEST_ASN, this.subject.getAsn());
        Assert.assertEquals(this.allPrefixes, this.subject.getPrefixes());
        Assert.assertEquals(this.allResources, this.subject.getResources());
    }

    @Test
    public void shouldVerifySignature() {
        Assert.assertTrue(this.subject.signedBy(this.subject.getCertificate()));
    }

    @Test(expected = IllegalArgumentException.class)
    public void shouldRejectCaCertificateInRoa() {
        this.subject = new RoaCmsBuilder().withAsn(RoaCmsParserTest.TEST_ASN).withPrefixes(this.allPrefixes).withCertificate(createCertificateBuilder(new IpResourceSet(new IpResource[]{RoaCmsParserTest.TEST_IPV4_PREFIX_1.getPrefix(), RoaCmsParserTest.TEST_IPV4_PREFIX_2.getPrefix(), RoaCmsParserTest.TEST_IPV6_PREFIX.getPrefix()})).withCa(true).build()).build(TEST_KEY_PAIR.getPrivate());
    }

    @Test(expected = IllegalArgumentException.class)
    public void shouldRequireSubjectKeyIdentifier() {
        this.subject = new RoaCmsBuilder().withAsn(RoaCmsParserTest.TEST_ASN).withPrefixes(this.allPrefixes).withCertificate(createCertificateBuilder(new IpResourceSet(new IpResource[]{RoaCmsParserTest.TEST_IPV4_PREFIX_1.getPrefix(), RoaCmsParserTest.TEST_IPV4_PREFIX_2.getPrefix(), RoaCmsParserTest.TEST_IPV6_PREFIX.getPrefix()})).withSubjectKeyIdentifier(false).build()).build(TEST_KEY_PAIR.getPrivate());
    }

    @Test
    public void shouldUseNotValidBeforeTimeForSigningTime() {
        RoaCms createRoaCms = createRoaCms(this.allPrefixes);
        Assert.assertEquals(createRoaCms.getCertificate().getValidityPeriod().getNotValidBefore(), createRoaCms.getSigningTime());
    }

    @Test
    public void shouldPastValidityTimeForCmsBeTheSameAsTheCertificate() {
        Assert.assertEquals(Boolean.valueOf(this.subject.getCertificate().isPastValidityTime()), Boolean.valueOf(this.subject.isPastValidityTime()));
    }

    @Test
    public void shouldBeRevoked() {
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(this.subject.getParentCertificateUri(), this.subject.getCertificate());
        X509Crl build = X509CrlTest.getCrlBuilder().withAuthorityKeyIdentifier(TEST_KEY_PAIR.getPublic()).addEntry(ROA_CERT_SERIAL, DateTime.now().minusDays(1)).build(TEST_KEY_PAIR.getPrivate());
        CrlLocator crlLocator = (CrlLocator) Mockito.mock(CrlLocator.class);
        Mockito.when(crlLocator.getCrl((URI) Mockito.any(URI.class), (CertificateRepositoryObjectValidationContext) Mockito.any(CertificateRepositoryObjectValidationContext.class), (ValidationResult) Mockito.any(ValidationResult.class))).thenReturn(build);
        this.subject.validate(TEST_ROA_LOCATION.toString(), certificateRepositoryObjectValidationContext, crlLocator, new ValidationOptions(), ValidationResult.withLocation(TEST_ROA_LOCATION));
        Assert.assertTrue("ROA must be revoked", this.subject.isRevoked());
    }

    @Test
    public void shouldNotBeRevoked() {
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(this.subject.getParentCertificateUri(), this.subject.getCertificate());
        X509Crl build = X509CrlTest.getCrlBuilder().withAuthorityKeyIdentifier(TEST_KEY_PAIR.getPublic()).addEntry(ROA_CERT_SERIAL.add(BigInteger.ONE), DateTime.now().minusDays(1)).build(TEST_KEY_PAIR.getPrivate());
        CrlLocator crlLocator = (CrlLocator) Mockito.mock(CrlLocator.class);
        Mockito.when(crlLocator.getCrl((URI) Mockito.any(URI.class), (CertificateRepositoryObjectValidationContext) Mockito.any(CertificateRepositoryObjectValidationContext.class), (ValidationResult) Mockito.any(ValidationResult.class))).thenReturn(build);
        this.subject.validate(TEST_ROA_LOCATION.toString(), certificateRepositoryObjectValidationContext, crlLocator, new ValidationOptions(), ValidationResult.withLocation(TEST_ROA_LOCATION));
        Assert.assertFalse("ROA must not be revoked", this.subject.isRevoked());
    }
}
