package net.ripe.rpki.commons.validation;

import java.math.BigInteger;
import java.security.KeyPair;
import java.util.EnumSet;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder;
import net.ripe.rpki.commons.crypto.util.PregeneratedKeyPairFactory;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateParentChildValidator;
import org.joda.time.DateTime;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/ripe/rpki/commons/validation/X509ResourceCertificateParentChildValidatorTest.class */
public class X509ResourceCertificateParentChildValidatorTest {
    private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=RIPE NCC, C=NL");
    private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
    private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
    private static final DateTime NOW = UTC.dateTime();
    private static final ValidityPeriod VALIDITY_PERIOD = new ValidityPeriod(NOW.minusMinutes(1), NOW.plusYears(1));
    private static final X500Principal FIRST_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=First Child, C=NL");
    private static final BigInteger FIRST_CHILD_SERIAL_NUMBER = ROOT_SERIAL_NUMBER.add(BigInteger.valueOf(1));
    private static final X500Principal SECOND_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=Second Child, C=NL");
    private static final IpResourceSet INVALID_CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
    private static final ValidityPeriod EXPIRED_VALIDITY_PERIOD = new ValidityPeriod(NOW.minusMonths(2), NOW.minusMonths(1));
    private static final KeyPair ROOT_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final KeyPair FIRST_CHILD_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final KeyPair SECOND_CHILD_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final ValidationLocation CHILD_VALIDATION_LOCATION = new ValidationLocation("child");
    private X509ResourceCertificate root;
    private X509ResourceCertificate child;
    private X509Crl rootCrl;
    private ValidationResult result;
    private ValidationOptions options;

    @Before
    public void setUp() {
        this.root = getRootResourceCertificate();
        this.child = createChildCertificateBuilder().build();
        this.rootCrl = getRootCRL().build(ROOT_KEY_PAIR.getPrivate());
        this.result = ValidationResult.withLocation("n/a");
        this.options = ValidationOptions.strictValidation();
    }

    private void validate(X509ResourceCertificateParentChildValidator x509ResourceCertificateParentChildValidator, X509ResourceCertificate x509ResourceCertificate) {
        x509ResourceCertificateParentChildValidator.validate("child", x509ResourceCertificate);
    }

    @Test
    public void shouldAcceptHappyFlowChildCertificate() {
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertFalse(this.result.hasFailures());
    }

    @Test
    public void shouldRejectInvalidSignature() {
        this.child = createChildCertificateBuilder().withSigningKeyPair(SECOND_CHILD_KEY_PAIR).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertTrue(this.result.hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.signature".equals(((ValidationCheck) this.result.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void shouldAcceptSelfSignedSignature() {
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.root);
        Assert.assertFalse(this.result.hasFailures());
    }

    @Test
    public void shouldRejectRevokedCertificate() {
        this.rootCrl = getRootCRL().addEntry(FIRST_CHILD_SERIAL_NUMBER, VALIDITY_PERIOD.getNotValidBefore().plusDays(2)).build(ROOT_KEY_PAIR.getPrivate());
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertTrue("cert.not.revoked".equals(((ValidationCheck) this.result.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void shouldRejectIfCrlAbsentForNonRootCertificate() {
        this.rootCrl = null;
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
    }

    @Test
    public void shouldRejectCertificateWithWrongValidity() {
        this.child = createChildCertificateBuilder().withValidityPeriod(EXPIRED_VALIDITY_PERIOD).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertTrue("cert.not.valid.after".equals(((ValidationCheck) this.result.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void shouldRejectInvalidIssuer() {
        this.child = createChildCertificateBuilder().withIssuerDN(SECOND_CHILD_CERTIFICATE_NAME).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertTrue("cert.issuer.eq.prev.subject".equals(((ValidationCheck) this.result.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void shouldWarnOnInvalidKeyUsage() {
        this.child = createChildCertificateBuilder().withKeyUsage(128).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertFalse(this.result.hasFailures());
        Assert.assertEquals(this.result.getResult(CHILD_VALIDATION_LOCATION, "cert.key.cert.sign"), new ValidationCheck(ValidationStatus.WARNING, "cert.key.cert.sign", new String[0]));
    }

    @Test
    public void shouldWarnOnMissingKeyUsage() {
        this.child = createChildCertificateBuilder().withKeyUsage(0).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertFalse(this.result.hasFailures());
        Assert.assertEquals(this.result.getResult(CHILD_VALIDATION_LOCATION, "cert.key.usage.extension.present"), new ValidationCheck(ValidationStatus.WARNING, "cert.key.usage.extension.present", new String[0]));
    }

    @Test
    public void shouldRejectMissingAuthorityKeyIdentifier() {
        this.child = createChildCertificateBuilder().withAuthorityKeyIdentifier(false).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertTrue("cert.aki.present".equals(((ValidationCheck) this.result.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void shouldRejectInvalidResourceSet() {
        this.child = createChildCertificateBuilder().withInheritedResourceTypes(EnumSet.noneOf(IpResourceType.class)).withResources(INVALID_CHILD_RESOURCE_SET).build();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
    }

    @Test
    public void shouldRejectInheritedResourcesForSelfSignedCertificate() {
        this.root = getRootResourceCertificateWithInheritedResources();
        this.child = getRootResourceCertificateWithInheritedResources();
        validate(new X509ResourceCertificateParentChildValidator(this.options, this.result, this.root, this.rootCrl, this.root.getResources()), this.child);
        Assert.assertTrue(this.result.hasFailures());
    }

    private X509ResourceCertificate getRootResourceCertificate() {
        return createRootCertificateBuilder().build();
    }

    private X509ResourceCertificate getRootResourceCertificateWithInheritedResources() {
        return createRootCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withResources(new IpResourceSet()).build();
    }

    private X509ResourceCertificateBuilder createRootCertificateBuilder() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(ROOT_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withPublicKey(ROOT_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(6);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSubjectKeyIdentifier(true);
        x509ResourceCertificateBuilder.withResources(ROOT_RESOURCE_SET);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(false);
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        return x509ResourceCertificateBuilder;
    }

    private X509ResourceCertificateBuilder createChildCertificateBuilder() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(FIRST_CHILD_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(FIRST_CHILD_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withPublicKey(FIRST_CHILD_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(6);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSubjectKeyIdentifier(true);
        x509ResourceCertificateBuilder.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        return x509ResourceCertificateBuilder;
    }

    private X509CrlBuilder getRootCRL() {
        X509CrlBuilder x509CrlBuilder = new X509CrlBuilder();
        x509CrlBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509CrlBuilder.withThisUpdateTime(VALIDITY_PERIOD.getNotValidBefore().plusDays(1));
        x509CrlBuilder.withNextUpdateTime(UTC.dateTime().plusMonths(1));
        x509CrlBuilder.withNumber(BigInteger.valueOf(1L));
        x509CrlBuilder.withAuthorityKeyIdentifier(ROOT_KEY_PAIR.getPublic());
        x509CrlBuilder.withSignatureProvider("SunRsaSign");
        return x509CrlBuilder;
    }
}
