package net.ripe.rpki.commons.crypto.crl;

import java.math.BigInteger;
import java.security.KeyPair;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.util.PregeneratedKeyPairFactory;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.ValidationCheck;
import net.ripe.rpki.commons.validation.ValidationLocation;
import net.ripe.rpki.commons.validation.ValidationOptions;
import net.ripe.rpki.commons.validation.ValidationResult;
import net.ripe.rpki.commons.validation.ValidationStatus;
import org.joda.time.DateTime;
import org.joda.time.Duration;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/ripe/rpki/commons/crypto/crl/X509CrlValidatorTest.class */
public class X509CrlValidatorTest {
    private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only, CN=RIPE NCC, C=NL");
    private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
    private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
    private static final ValidityPeriod VALIDITY_PERIOD;
    private static final KeyPair ROOT_KEY_PAIR;
    private static final KeyPair FIRST_CHILD_KEY_PAIR;
    private X509CrlValidator subject;
    private X509ResourceCertificate parent;
    private ValidationOptions options;
    private ValidationResult result;

    @Before
    public void setUp() {
        this.parent = getRootResourceCertificate();
        this.options = ValidationOptions.backCompatibleRipeNccValidator();
        this.result = ValidationResult.withLocation("location");
        this.subject = new X509CrlValidator(this.options, this.result, this.parent);
    }

    @Test
    public void shouldValidateHappyflowCrl() {
        this.subject.validate("location", getRootCRL().build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertFalse(this.result.hasFailures());
        Assert.assertEquals(new ValidationLocation("location"), this.result.getCurrentLocation());
    }

    @Test
    public void shouldRejectCrlSignedByOthers() {
        this.subject.validate("location", getRootCRL().build(FIRST_CHILD_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "cert.crl.signature", new String[0]), this.result.getResult(new ValidationLocation("location"), "cert.crl.signature"));
    }

    @Test
    public void shouldRejectWhenThisUpdateInFuture() {
        DateTime withMillisOfSecond = UTC.dateTime().withMillisOfSecond(0);
        DateTime plusDays = withMillisOfSecond.plusDays(2);
        this.subject.validate("location", getRootCRL().withThisUpdateTime(plusDays).withNextUpdateTime(withMillisOfSecond.plusDays(4)).build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "crl.this.update.after.now", new String[]{plusDays.toString()}), this.result.getResult(new ValidationLocation("location"), "crl.this.update.after.now"));
    }

    @Test
    public void shouldWarnWhenNextUpdatePassedWithinMaxStaleDays() {
        this.options = ValidationOptions.withStaleConfigurations(Duration.standardDays(1L), Duration.ZERO);
        DateTime withMillisOfSecond = UTC.dateTime().minusSeconds(1).withMillisOfSecond(0);
        this.subject.validate("location", getRootCRL().withNextUpdateTime(withMillisOfSecond).build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertFalse(this.result.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.WARNING, "crl.next.update.before.now", new String[]{withMillisOfSecond.toString()}), this.result.getResult(new ValidationLocation("location"), "crl.next.update.before.now"));
    }

    @Test
    public void shouldRejectWhenNextUpdateOutsideMaxStaleDays() {
        this.options = ValidationOptions.withStaleConfigurations(Duration.standardDays(1L), Duration.ZERO);
        this.subject = new X509CrlValidator(this.options, this.result, this.parent);
        DateTime withMillisOfSecond = UTC.dateTime().minusDays(2).withMillisOfSecond(0);
        this.subject.validate("location", getRootCRL().withNextUpdateTime(withMillisOfSecond).build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "crl.next.update.before.now", new String[]{withMillisOfSecond.toString()}), this.result.getResult(new ValidationLocation("location"), "crl.next.update.before.now"));
    }

    @Test
    public void shouldRejectWhenNextUpdateOutsideNegativeMaxStaleDays() {
        this.options = ValidationOptions.withStaleConfigurations(Duration.standardDays(-8L), Duration.ZERO);
        this.subject = new X509CrlValidator(this.options, this.result, this.parent);
        DateTime withMillisOfSecond = UTC.dateTime().withMillisOfSecond(0);
        this.subject.validate("location", getRootCRL().withNextUpdateTime(withMillisOfSecond).build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertTrue(this.result.hasFailures());
        Assert.assertEquals(new ValidationCheck(ValidationStatus.ERROR, "crl.next.update.before.now", new String[]{withMillisOfSecond.toString()}), this.result.getResult(new ValidationLocation("location"), "crl.next.update.before.now"));
    }

    @Test
    public void shouldNotRejectWhenBetweenThisUpdateAndNextUpdate() {
        DateTime minusDays = UTC.dateTime().minusDays(1);
        this.subject.validate("location", getRootCRL().withThisUpdateTime(minusDays).withNextUpdateTime(minusDays.plusDays(2)).build(ROOT_KEY_PAIR.getPrivate()));
        this.result = this.subject.getValidationResult();
        Assert.assertFalse(this.result.hasFailures());
    }

    private X509ResourceCertificate getRootResourceCertificate() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(ROOT_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withPublicKey(ROOT_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(4);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withResources(ROOT_RESOURCE_SET);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(false);
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        return x509ResourceCertificateBuilder.build();
    }

    private X509CrlBuilder getRootCRL() {
        X509CrlBuilder x509CrlBuilder = new X509CrlBuilder();
        x509CrlBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509CrlBuilder.withThisUpdateTime(VALIDITY_PERIOD.getNotValidBefore().plusDays(1));
        x509CrlBuilder.withNextUpdateTime(UTC.dateTime().plusMonths(1));
        x509CrlBuilder.withNumber(BigInteger.valueOf(1L));
        x509CrlBuilder.withAuthorityKeyIdentifier(ROOT_KEY_PAIR.getPublic());
        x509CrlBuilder.withSignatureProvider("SunRsaSign");
        return x509CrlBuilder;
    }

    static {
        DateTime dateTime = UTC.dateTime();
        VALIDITY_PERIOD = new ValidityPeriod(dateTime.minusDays(2), dateTime.plusDays(2));
        ROOT_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
        FIRST_CHILD_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    }
}
