package net.ripe.rpki.commons.crypto.x509cert;

import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.Random;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.CrlLocator;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.crl.X509CrlTest;
import net.ripe.rpki.commons.crypto.util.KeyPairFactoryTest;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext;
import org.joda.time.DateTime;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/x509cert/X509ResourceCertificateTest.class */
public class X509ResourceCertificateTest {
    public static final URI TEST_TA_URI = URI.create("rsync://host.foo/ta.cer");
    public static final URI TEST_CA_URI = URI.create("rsync://host.foo/ca.cer");
    private static final ValidationLocation CERT_URI_VALIDATION_LOCATION = new ValidationLocation(TEST_TA_URI);
    public static final URI TEST_TA_CRL = URI.create("rsync://host.foo/bar/ta.crl");
    private static final URI MFT_URI = URI.create("rsync://host.foo/bar/ta.mft");
    private static final URI PUB_DIR_URI = URI.create("rsync://host.foo/bar/");
    private static final ValidationLocation CRL_DP_VALIDATION_LOCATION = new ValidationLocation(TEST_TA_CRL);
    public static final X500Principal TEST_SELF_SIGNED_CERTIFICATE_NAME = new X500Principal("CN=TEST-SELF-SIGNED-CERT");
    private static final IpResourceSet TEST_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
    private CrlLocator crlLocator;
    private static final ValidityPeriod TEST_VALIDITY_PERIOD;
    private static final BigInteger TEST_SERIAL_NUMBER;
    private static final ValidationOptions VALIDATION_OPTIONS;

    public static X509ResourceCertificateBuilder createSelfSignedCaCertificateBuilder() {
        X509ResourceCertificateBuilder createBasicBuilder = createBasicBuilder();
        createBasicBuilder.withCa(true);
        createBasicBuilder.withKeyUsage(6);
        return createBasicBuilder;
    }

    public static X509ResourceCertificateBuilder createBasicBuilder() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(TEST_SELF_SIGNED_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(TEST_SELF_SIGNED_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(TEST_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withValidityPeriod(TEST_VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withPublicKey(KeyPairFactoryTest.TEST_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withSigningKeyPair(KeyPairFactoryTest.TEST_KEY_PAIR);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor[]{new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, PUB_DIR_URI), new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, MFT_URI)});
        return x509ResourceCertificateBuilder;
    }

    public static X509ResourceCertificate createSelfSignedCaResourceCertificate() {
        return createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET);
    }

    public static X509ResourceCertificate createSelfSignedCaResourceCertificate(IpResourceSet ipResourceSet) {
        return createSelfSignedCaResourceCertificateBuilder().withResources(ipResourceSet).build();
    }

    public static X509ResourceCertificate createSelfSignedCaResourceCertificate(KeyPair keyPair) {
        return createSelfSignedCaResourceCertificateBuilder().withResources(TEST_RESOURCE_SET).withSigningKeyPair(keyPair).withPublicKey(keyPair.getPublic()).build();
    }

    public static X509ResourceCertificateBuilder createSelfSignedCaResourceCertificateBuilder() {
        return createSelfSignedCaCertificateBuilder().withResources(TEST_RESOURCE_SET).withSubjectDN(TEST_SELF_SIGNED_CERTIFICATE_NAME).withIssuerDN(TEST_SELF_SIGNED_CERTIFICATE_NAME);
    }

    public static X509ResourceCertificateBuilder createSelfSignedEeCertificateBuilder() {
        return createBasicBuilder().withCa(false).withResources(TEST_RESOURCE_SET).withSubjectDN(TEST_SELF_SIGNED_CERTIFICATE_NAME).withIssuerDN(TEST_SELF_SIGNED_CERTIFICATE_NAME);
    }

    @Before
    public void setUp() {
        this.crlLocator = (CrlLocator) Mockito.mock(CrlLocator.class);
    }

    @Test(expected = IllegalArgumentException.class)
    public void shouldRequireCertificate() {
        new X509ResourceCertificate((X509Certificate) null);
    }

    @Test
    public void shouldHaveCertificate() {
        Assert.assertNotNull(createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).getCertificate());
    }

    @Test
    public void shouldDecodeResourceExtensions() {
        Assert.assertEquals(TEST_RESOURCE_SET, createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).getResources());
    }

    @Test
    public void shouldSupportResourceInheritance() {
        X509ResourceCertificate build = createSelfSignedCaResourceCertificateBuilder().withResources(new IpResourceSet()).withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).build();
        Assert.assertTrue(build.isResourceSetInherited());
        Assert.assertTrue(build.getResources().isEmpty());
        Assert.assertFalse(createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).isResourceSetInherited());
        Assert.assertEquals("AS21212, 10.0.0.0/8, 192.168.0.0/16, ffce::/16", build.deriveResources(TEST_RESOURCE_SET).toString());
    }

    @Test
    public void shouldSupportInheritedAsnsOnly() {
        X509ResourceCertificate build = createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.parse("10.0.0.0/8")).withInheritedResourceTypes(EnumSet.of(IpResourceType.ASN)).build();
        Assert.assertTrue(build.isResourceTypesInherited(EnumSet.of(IpResourceType.ASN)));
        Assert.assertFalse(build.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv4)));
        Assert.assertFalse(build.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv6)));
        Assert.assertTrue(build.isResourceSetInherited());
        Assert.assertEquals("AS21212, 10.0.0.0/8", build.deriveResources(TEST_RESOURCE_SET).toString());
    }

    @Test
    public void shouldSupportInheritedIpAddressesOnly() {
        X509ResourceCertificate build = createSelfSignedCaCertificateBuilder().withResources(IpResourceSet.parse("AS1234")).withInheritedResourceTypes(EnumSet.of(IpResourceType.IPv4, IpResourceType.IPv6)).build();
        Assert.assertFalse(build.isResourceTypesInherited(EnumSet.of(IpResourceType.ASN)));
        Assert.assertTrue(build.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv4)));
        Assert.assertTrue(build.isResourceTypesInherited(EnumSet.of(IpResourceType.IPv6)));
        Assert.assertTrue(build.isResourceSetInherited());
        Assert.assertEquals("AS1234, 10.0.0.0/8, 192.168.0.0/16, ffce::/16", build.deriveResources(TEST_RESOURCE_SET).toString());
    }

    @Test
    public void shouldSupportCaCertificate() {
        X509ResourceCertificate build = createSelfSignedEeCertificateBuilder().build();
        Assert.assertTrue(build.isEe());
        Assert.assertFalse(build.isCa());
        X509ResourceCertificate build2 = createSelfSignedCaResourceCertificateBuilder().build();
        Assert.assertTrue(build2.isCa());
        Assert.assertFalse(build2.isEe());
    }

    @Test
    public void shouldSupportAuthorityInformationAccessExtension() throws URISyntaxException {
        X509CertificateInformationAccessDescriptor[] x509CertificateInformationAccessDescriptorArr = {new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS, new URI("rsync://foo.host/bar/baz.cer")), new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS, new URI("http://foo.host/bar/baz.cer"))};
        X509ResourceCertificateBuilder createSelfSignedEeCertificateBuilder = createSelfSignedEeCertificateBuilder();
        createSelfSignedEeCertificateBuilder.withAuthorityInformationAccess(x509CertificateInformationAccessDescriptorArr);
        X509ResourceCertificate build = createSelfSignedEeCertificateBuilder.build();
        Assert.assertArrayEquals(x509CertificateInformationAccessDescriptorArr, build.getAuthorityInformationAccess());
        Assert.assertEquals(x509CertificateInformationAccessDescriptorArr[0].getLocation(), build.findFirstAuthorityInformationAccessByMethod(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS));
        Assert.assertNull(build.findFirstAuthorityInformationAccessByMethod(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST));
        Assert.assertNotNull(build.findFirstAuthorityInformationAccessByMethod(X509CertificateInformationAccessDescriptor.ID_CA_CA_ISSUERS));
    }

    @Test
    public void shouldSupportSubjectInformationAccessExtension() throws URISyntaxException {
        X509CertificateInformationAccessDescriptor[] x509CertificateInformationAccessDescriptorArr = {new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, new URI("rsync://foo.host/bar/")), new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, new URI("http://foo.host/bar/"))};
        X509ResourceCertificateBuilder createSelfSignedEeCertificateBuilder = createSelfSignedEeCertificateBuilder();
        createSelfSignedEeCertificateBuilder.withSubjectInformationAccess(x509CertificateInformationAccessDescriptorArr);
        X509ResourceCertificate build = createSelfSignedEeCertificateBuilder.build();
        Assert.assertArrayEquals(x509CertificateInformationAccessDescriptorArr, build.getSubjectInformationAccess());
        Assert.assertNotNull(build.findFirstSubjectInformationAccessByMethod(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY));
    }

    @Test
    public void shouldSupportCrlDistributionPoints() {
        URI[] uriArr = {URI.create("rsync://localhost/ca.crl")};
        X509ResourceCertificateBuilder createSelfSignedEeCertificateBuilder = createSelfSignedEeCertificateBuilder();
        createSelfSignedEeCertificateBuilder.withCrlDistributionPoints(uriArr);
        X509ResourceCertificate build = createSelfSignedEeCertificateBuilder.build();
        Assert.assertArrayEquals(uriArr, build.getCrlDistributionPoints());
        Assert.assertNotNull(build.findFirstRsyncCrlDistributionPoint());
    }

    @Test
    public void shouldHaveCertificatePolicy() {
        Assert.assertEquals(AbstractX509CertificateWrapper.POLICY_OID, createSelfSignedCaResourceCertificate().getCertificatePolicy());
    }

    @Test
    public void shouldHaveValidSignature() throws InvalidKeyException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
        createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).getCertificate().verify(KeyPairFactoryTest.TEST_KEY_PAIR.getPublic());
    }

    @Test(expected = SignatureException.class)
    public void shouldFailOnInvalidSignature() throws InvalidKeyException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
        createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET).getCertificate().verify(KeyPairFactoryTest.SECOND_TEST_KEY_PAIR.getPublic());
    }

    @Test
    public void shouldIgnoreCrlWhenValidatingRootCertificate() {
        ValidationResult withLocation = ValidationResult.withLocation(TEST_TA_URI);
        X509ResourceCertificate createSelfSignedCaResourceCertificate = createSelfSignedCaResourceCertificate(TEST_RESOURCE_SET);
        createSelfSignedCaResourceCertificate.validate(TEST_TA_URI.toString(), new CertificateRepositoryObjectValidationContext(TEST_TA_URI, createSelfSignedCaResourceCertificate), this.crlLocator, VALIDATION_OPTIONS, withLocation);
    }

    @Test
    public void shouldFailWhenCrlCannotBeLocated() {
        final ValidationResult withLocation = ValidationResult.withLocation(TEST_TA_URI);
        X509ResourceCertificate createSelfSignedCaResourceCertificate = createSelfSignedCaResourceCertificate();
        X509ResourceCertificate build = createSelfSignedCaResourceCertificateBuilder().withPublicKey(KeyPairFactoryTest.SECOND_TEST_KEY_PAIR.getPublic()).withSubjectDN(new X500Principal("CN=child")).withCrlDistributionPoints(new URI[]{TEST_TA_CRL}).build();
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(TEST_TA_URI, createSelfSignedCaResourceCertificate);
        Mockito.when(this.crlLocator.getCrl(TEST_TA_CRL, certificateRepositoryObjectValidationContext, withLocation)).thenAnswer(new Answer<X509Crl>() { // from class: net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateTest.1
            /* renamed from: answer, reason: merged with bridge method [inline-methods] */
            public X509Crl m17answer(InvocationOnMock invocationOnMock) throws Throwable {
                Assert.assertEquals(X509ResourceCertificateTest.CRL_DP_VALIDATION_LOCATION, withLocation.getCurrentLocation());
                withLocation.rejectIfFalse(false, "cert.crl.signature");
                return null;
            }
        });
        withLocation.setLocation(new ValidationLocation(TEST_TA_URI));
        build.validate(TEST_TA_URI.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, VALIDATION_OPTIONS, withLocation);
        Assert.assertEquals(CERT_URI_VALIDATION_LOCATION, withLocation.getCurrentLocation());
        Assert.assertTrue("certificate should have errors", withLocation.hasFailureForCurrentLocation());
        Assert.assertTrue("crl should have errors", withLocation.hasFailureForLocation(CRL_DP_VALIDATION_LOCATION));
    }

    @Test
    public void shouldValidateWhenCrlOk() {
        ValidationResult withLocation = ValidationResult.withLocation(TEST_TA_URI);
        X509ResourceCertificate createSelfSignedCaResourceCertificate = createSelfSignedCaResourceCertificate();
        X509ResourceCertificate build = createSelfSignedCaResourceCertificateBuilder().withPublicKey(KeyPairFactoryTest.SECOND_TEST_KEY_PAIR.getPublic()).withSubjectDN(new X500Principal("CN=child")).withCrlDistributionPoints(new URI[]{TEST_TA_CRL}).build();
        X509Crl createCrl = X509CrlTest.createCrl();
        CertificateRepositoryObjectValidationContext certificateRepositoryObjectValidationContext = new CertificateRepositoryObjectValidationContext(TEST_TA_URI, createSelfSignedCaResourceCertificate);
        Mockito.when(this.crlLocator.getCrl(TEST_TA_CRL, certificateRepositoryObjectValidationContext, withLocation)).thenReturn(createCrl);
        build.validate(TEST_TA_URI.toString(), certificateRepositoryObjectValidationContext, this.crlLocator, VALIDATION_OPTIONS, withLocation);
        Assert.assertEquals(CERT_URI_VALIDATION_LOCATION, withLocation.getCurrentLocation());
        Assert.assertEquals("[]", withLocation.getFailuresForCurrentLocation().toString());
        Assert.assertFalse(withLocation.hasFailureForLocation(CERT_URI_VALIDATION_LOCATION));
    }

    @Test
    public void shouldReturnImmutableResources() {
        X509ResourceCertificate createSelfSignedCaResourceCertificate = createSelfSignedCaResourceCertificate();
        IpResourceSet resources = createSelfSignedCaResourceCertificate.getResources();
        resources.removeAll(new IpResourceSet(resources));
        Assert.assertFalse(createSelfSignedCaResourceCertificate.getResources().isEmpty());
    }

    @Test
    public void shouldNotBePastValidityTime() {
        X509ResourceCertificate createSelfSignedCaResourceCertificate = createSelfSignedCaResourceCertificate();
        Assert.assertEquals(Boolean.valueOf(createSelfSignedCaResourceCertificate.getValidityPeriod().isExpiredNow()), Boolean.valueOf(createSelfSignedCaResourceCertificate.isPastValidityTime()));
    }

    @Test
    @Ignore("Production code not implemented")
    public void shouldBeRevoked() {
        X509ResourceCertificate build = createSelfSignedCaResourceCertificateBuilder().withResources(TEST_RESOURCE_SET).withCrlDistributionPoints(new URI[]{TEST_TA_CRL}).build();
        BigInteger valueOf = BigInteger.valueOf(new Random(UTC.dateTime().getMillis()).nextLong());
        X509ResourceCertificate build2 = createBasicBuilder().withResources(TEST_RESOURCE_SET).withSerial(valueOf).build();
        X509Crl build3 = X509CrlTest.getCrlBuilder().withAuthorityKeyIdentifier(KeyPairFactoryTest.TEST_KEY_PAIR.getPublic()).addEntry(valueOf, DateTime.now().minusDays(1)).build(KeyPairFactoryTest.TEST_KEY_PAIR.getPrivate());
        CrlLocator crlLocator = (CrlLocator) Mockito.mock(CrlLocator.class);
        Mockito.when(crlLocator.getCrl((URI) Mockito.any(URI.class), (CertificateRepositoryObjectValidationContext) Mockito.any(CertificateRepositoryObjectValidationContext.class), (ValidationResult) Mockito.any(ValidationResult.class))).thenReturn(build3);
        build2.validate(TEST_CA_URI.toString(), new CertificateRepositoryObjectValidationContext(TEST_TA_URI, build), crlLocator, new ValidationOptions(), ValidationResult.withLocation(TEST_CA_URI));
        Assert.assertTrue("Certificate must be revoked", build2.isRevoked());
    }

    static {
        DateTime dateTime = UTC.dateTime();
        TEST_VALIDITY_PERIOD = new ValidityPeriod(dateTime.minusMinutes(1), dateTime.plusYears(100));
        TEST_SERIAL_NUMBER = BigInteger.valueOf(900L);
        VALIDATION_OPTIONS = new ValidationOptions();
    }
}
