package net.ripe.rpki.commons.validation;

import java.math.BigInteger;
import java.net.URI;
import java.security.KeyPair;
import java.security.cert.CRLException;
import java.util.EnumSet;
import javax.security.auth.x500.X500Principal;
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.CertificateRepositoryObjectFile;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder;
import net.ripe.rpki.commons.crypto.util.PregeneratedKeyPairFactory;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.commons.util.UTC;
import net.ripe.rpki.commons.validation.objectvalidators.ResourceCertificateLocator;
import net.ripe.rpki.commons.validation.objectvalidators.X509ResourceCertificateBottomUpValidator;
import org.apache.commons.lang3.Validate;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest.class */
public class X509ResourceCertificateBottomUpValidatorTest {
    private static final X500Principal ROOT_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only - RIPE NCC - NL");
    private static final IpResourceSet ROOT_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/16, ffce::/16, AS21212");
    private static final BigInteger ROOT_SERIAL_NUMBER = BigInteger.valueOf(900);
    private static final ValidityPeriod VALIDITY_PERIOD = new ValidityPeriod(UTC.dateTime().minusMinutes(1), UTC.dateTime().plusYears(1));
    private static final X500Principal FIRST_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only - First Child - NL");
    private static final BigInteger FIRST_CHILD_SERIAL_NUMBER = ROOT_SERIAL_NUMBER.add(BigInteger.valueOf(1));
    private static final X500Principal SECOND_CHILD_CERTIFICATE_NAME = new X500Principal("CN=For Testing Only - Second Child - NL");
    private static final BigInteger SECOND_CHILD_SERIAL_NUMBER = FIRST_CHILD_SERIAL_NUMBER.add(BigInteger.valueOf(1));
    private static final IpResourceSet CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/17, ffce::/16, AS21212");
    private static final IpResourceSet INVALID_CHILD_RESOURCE_SET = IpResourceSet.parse("10.0.0.0/8, 192.168.0.0/15, ffce::/16, AS21212");
    private static final ValidityPeriod EXPIRED_VALIDITY_PERIOD = new ValidityPeriod(UTC.dateTime().minusMonths(2), UTC.dateTime().minusMonths(1));
    private static final KeyPair ROOT_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final KeyPair FIRST_CHILD_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final KeyPair SECOND_CHILD_KEY_PAIR = PregeneratedKeyPairFactory.getInstance().generate();
    private static final ValidationLocation CHILD_VALIDATION_LOCATION = new ValidationLocation("child");
    private static final ValidationLocation GRAND_CHILD_VALIDATION_LOCATION = new ValidationLocation("grandchild");
    private X509ResourceCertificate root;
    private X509ResourceCertificate child;
    private X509ResourceCertificate grandchild;
    private X509Crl rootCrl;
    private X509Crl childCrl;

    /* loaded from: input_file:net/ripe/rpki/commons/validation/X509ResourceCertificateBottomUpValidatorTest$ResourceCertificateLocatorImpl.class */
    private class ResourceCertificateLocatorImpl implements ResourceCertificateLocator {
        private ResourceCertificateLocatorImpl() {
        }

        public CertificateRepositoryObjectFile<X509ResourceCertificate> findParent(X509ResourceCertificate x509ResourceCertificate) {
            Validate.isTrue(!x509ResourceCertificate.isRoot());
            if (x509ResourceCertificate.equals(X509ResourceCertificateBottomUpValidatorTest.this.grandchild)) {
                return new CertificateRepositoryObjectFile<>(X509ResourceCertificate.class, "child", X509ResourceCertificateBottomUpValidatorTest.this.child.getEncoded());
            }
            if (x509ResourceCertificate.equals(X509ResourceCertificateBottomUpValidatorTest.this.child)) {
                return new CertificateRepositoryObjectFile<>(X509ResourceCertificate.class, "root", X509ResourceCertificateBottomUpValidatorTest.this.root.getEncoded());
            }
            throw new IllegalArgumentException("unable to find parent for certificate: " + x509ResourceCertificate);
        }

        public CertificateRepositoryObjectFile<X509Crl> findCrl(X509ResourceCertificate x509ResourceCertificate) {
            if (x509ResourceCertificate.equals(X509ResourceCertificateBottomUpValidatorTest.this.child)) {
                return new CertificateRepositoryObjectFile<>(X509Crl.class, "rootCrl", X509ResourceCertificateBottomUpValidatorTest.this.rootCrl.getEncoded());
            }
            if (x509ResourceCertificate.equals(X509ResourceCertificateBottomUpValidatorTest.this.grandchild)) {
                return new CertificateRepositoryObjectFile<>(X509Crl.class, "childCrl", X509ResourceCertificateBottomUpValidatorTest.this.childCrl.getEncoded());
            }
            return null;
        }
    }

    @Before
    public void setUp() {
        this.root = getRootResourceCertificate();
        this.child = createChildBuilder().build();
        this.grandchild = null;
        this.rootCrl = getRootCRL().build(ROOT_KEY_PAIR.getPrivate());
        this.childCrl = getChildCRL().build(FIRST_CHILD_KEY_PAIR.getPrivate());
    }

    @Test
    public void testShouldBeValidRootCertificate() {
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("root", this.root);
        Assert.assertFalse(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
    }

    @Test
    public void testShouldBeValidChildCertificates() throws CRLException {
        this.child = createChildBuilder().build();
        this.grandchild = createSecondChildBuilder().build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[]{this.root});
        x509ResourceCertificateBottomUpValidator.validate("grandchild", this.grandchild);
        Assert.assertFalse(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
    }

    @Test
    public void testShouldFailOnInvalidResorceSet() {
        this.child = createChildBuilder().withInheritedResourceTypes(EnumSet.noneOf(IpResourceType.class)).withResources(INVALID_CHILD_RESOURCE_SET).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.resource.range.is.valid".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailOnInvalidResourceSetAfterInheritance() {
        this.child = createChildBuilder().build();
        this.grandchild = createSecondChildBuilder().withResources(INVALID_CHILD_RESOURCE_SET).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("grandchild", this.grandchild);
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        System.out.println(x509ResourceCertificateBottomUpValidator.getValidationResult().getFailuresForAllLocations());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(GRAND_CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.resource.range.is.valid".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(GRAND_CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailOnInvalidSignature() {
        this.child = createChildBuilder().withSigningKeyPair(FIRST_CHILD_KEY_PAIR).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.signature".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailOnExpiredValidityPeriod() {
        this.child = createChildBuilder().withValidityPeriod(EXPIRED_VALIDITY_PERIOD).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.not.valid.after".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailOnInvalidIssuer() {
        this.child = createChildBuilder().withIssuerDN(SECOND_CHILD_CERTIFICATE_NAME).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        System.out.println(x509ResourceCertificateBottomUpValidator.getValidationResult());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.issuer.eq.prev.subject".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldWarnOnMissingKeyUsage() {
        this.child = createChildBuilder().withKeyUsage(0).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertFalse(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertEquals(x509ResourceCertificateBottomUpValidator.getValidationResult().getResult(CHILD_VALIDATION_LOCATION, "cert.key.usage.extension.present"), new ValidationCheck(ValidationStatus.WARNING, "cert.key.usage.extension.present", new String[0]));
    }

    @Test
    public void testShouldWarnOnInvalidKeyUsage_wrong_number() {
        this.child = createChildBuilder().withKeyUsage(128).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertFalse(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertEquals(x509ResourceCertificateBottomUpValidator.getValidationResult().getResult(CHILD_VALIDATION_LOCATION, "cert.key.usage.invalid"), new ValidationCheck(ValidationStatus.WARNING, "cert.key.usage.invalid", new String[0]));
    }

    @Test
    public void testShouldWarnOnInvalidKeyUsage_wrong_bit() {
        this.child = createChildBuilder().withKeyUsage(32896).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertFalse(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertEquals(x509ResourceCertificateBottomUpValidator.getValidationResult().getResult(CHILD_VALIDATION_LOCATION, "cert.key.cert.sign"), new ValidationCheck(ValidationStatus.WARNING, "cert.key.cert.sign", new String[0]));
    }

    @Test
    public void testShouldFailOnMissingAKI() {
        this.child = createChildBuilder().withAuthorityKeyIdentifier(false).build();
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailures());
        Assert.assertTrue(x509ResourceCertificateBottomUpValidator.getValidationResult().hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.aki.present".equals(((ValidationCheck) x509ResourceCertificateBottomUpValidator.getValidationResult().getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailOnCrlCheck() throws CRLException {
        this.child = createChildBuilder().build();
        this.grandchild = createSecondChildBuilder().build();
        this.rootCrl = getRootCRL().addEntry(FIRST_CHILD_SERIAL_NUMBER, VALIDITY_PERIOD.getNotValidBefore().plusDays(2)).build(ROOT_KEY_PAIR.getPrivate());
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        ValidationResult validationResult = x509ResourceCertificateBottomUpValidator.getValidationResult();
        Assert.assertTrue(validationResult.hasFailures());
        Assert.assertTrue(validationResult.hasFailureForLocation(CHILD_VALIDATION_LOCATION));
        Assert.assertTrue("cert.not.revoked".equals(((ValidationCheck) validationResult.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    @Test
    public void testShouldFailWhenCrlInvalid() {
        this.child = createChildBuilder().build();
        this.rootCrl = getChildCRL().build(FIRST_CHILD_KEY_PAIR.getPrivate());
        X509ResourceCertificateBottomUpValidator x509ResourceCertificateBottomUpValidator = new X509ResourceCertificateBottomUpValidator(new ResourceCertificateLocatorImpl(), new X509ResourceCertificate[0]);
        x509ResourceCertificateBottomUpValidator.validate("child", this.child);
        ValidationResult validationResult = x509ResourceCertificateBottomUpValidator.getValidationResult();
        Assert.assertTrue(validationResult.hasFailures());
        Assert.assertTrue("cert.crl.signature".equals(((ValidationCheck) validationResult.getFailures(CHILD_VALIDATION_LOCATION).get(0)).getKey()));
    }

    private X509ResourceCertificate getRootResourceCertificate() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(ROOT_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withPublicKey(ROOT_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(6);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withResources(ROOT_RESOURCE_SET);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(false);
        x509ResourceCertificateBuilder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor[]{new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, URI.create("rsync://example.com/root/")), new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, URI.create("rsync://example.com/root/manifest.mft"))});
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        return x509ResourceCertificateBuilder.build();
    }

    private X509ResourceCertificateBuilder createChildBuilder() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(FIRST_CHILD_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(FIRST_CHILD_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withPublicKey(FIRST_CHILD_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSigningKeyPair(ROOT_KEY_PAIR);
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(6);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class));
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withCrlDistributionPoints(new URI[]{URI.create("rsync://localhost/ta.crl")});
        x509ResourceCertificateBuilder.withSubjectInformationAccess(new X509CertificateInformationAccessDescriptor[]{new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, URI.create("rsync://example.com/repository/")), new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, URI.create("rsync://example.com/repository/manifest.mft"))});
        return x509ResourceCertificateBuilder;
    }

    private X509ResourceCertificateBuilder createSecondChildBuilder() {
        X509ResourceCertificateBuilder x509ResourceCertificateBuilder = new X509ResourceCertificateBuilder();
        x509ResourceCertificateBuilder.withSubjectDN(SECOND_CHILD_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withIssuerDN(FIRST_CHILD_CERTIFICATE_NAME);
        x509ResourceCertificateBuilder.withSerial(SECOND_CHILD_SERIAL_NUMBER);
        x509ResourceCertificateBuilder.withPublicKey(SECOND_CHILD_KEY_PAIR.getPublic());
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withSigningKeyPair(FIRST_CHILD_KEY_PAIR);
        x509ResourceCertificateBuilder.withCa(true);
        x509ResourceCertificateBuilder.withKeyUsage(6);
        x509ResourceCertificateBuilder.withValidityPeriod(VALIDITY_PERIOD);
        x509ResourceCertificateBuilder.withAuthorityKeyIdentifier(true);
        x509ResourceCertificateBuilder.withResources(CHILD_RESOURCE_SET);
        x509ResourceCertificateBuilder.withCrlDistributionPoints(new URI[]{URI.create("rsync://localhost/prod.crl")});
        return x509ResourceCertificateBuilder;
    }

    private X509CrlBuilder getRootCRL() {
        X509CrlBuilder x509CrlBuilder = new X509CrlBuilder();
        x509CrlBuilder.withIssuerDN(ROOT_CERTIFICATE_NAME);
        x509CrlBuilder.withThisUpdateTime(VALIDITY_PERIOD.getNotValidBefore().plusDays(1));
        x509CrlBuilder.withNextUpdateTime(UTC.dateTime().plusMonths(1));
        x509CrlBuilder.withNumber(BigInteger.valueOf(1L));
        x509CrlBuilder.withAuthorityKeyIdentifier(ROOT_KEY_PAIR.getPublic());
        x509CrlBuilder.withSignatureProvider("SunRsaSign");
        return x509CrlBuilder;
    }

    private X509CrlBuilder getChildCRL() {
        X509CrlBuilder x509CrlBuilder = new X509CrlBuilder();
        x509CrlBuilder.withIssuerDN(FIRST_CHILD_CERTIFICATE_NAME);
        x509CrlBuilder.withThisUpdateTime(VALIDITY_PERIOD.getNotValidBefore().plusDays(1));
        x509CrlBuilder.withNextUpdateTime(UTC.dateTime().plusMonths(1));
        x509CrlBuilder.withNumber(BigInteger.valueOf(1L));
        x509CrlBuilder.withAuthorityKeyIdentifier(FIRST_CHILD_KEY_PAIR.getPublic());
        x509CrlBuilder.withSignatureProvider("SunRsaSign");
        return x509CrlBuilder;
    }
}
