package net.ripe.rpki.commons.interop;

import com.google.common.io.Files;
import java.io.File;
import java.io.IOException;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateParser;
import net.ripe.rpki.commons.validation.ValidationResult;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.CsvSource;

/* loaded from: input_file:net/ripe/rpki/commons/interop/BBNCertificateConformanceTest.class */
public class BBNCertificateConformanceTest {
    private static final String PATH_TO_BBN_OBJECTS = "src/test/resources/conformance/";

    @Disabled("Early ripe ncc ta certificates have crldp set")
    @Test
    public void shouldRejectSelfSignedCertificateWithCRLDP() throws IOException {
        Assertions.assertThat(parseCertificate("badRootBadCRLDP.cer")).isTrue();
    }

    @Test
    public void shouldRejectCertificateWithCRLDPWithReasonFieldNotOmitted() throws IOException {
        Assertions.assertThat(parseCertificate("root/badCertCRLDPReasons.cer")).isTrue();
    }

    @Test
    public void shouldRejectCertificateWithCRLDPWithCrlIssuer() throws IOException {
        Assertions.assertThat(parseCertificate("root/badCertCRLDPCrlIssuer.cer")).isTrue();
    }

    @Test
    public void shouldRejectCertificateWithoutKeyUsageBit() throws IOException {
        Assertions.assertThat(parseCertificate("root/badCertNoKeyUsage.cer")).isTrue();
    }

    @Test
    public void shouldRejectCertificateWithTwoKeyUsageBits() throws IOException {
        Assertions.assertThat(parseCertificate("root/badCert2KeyUsage.cer")).isTrue();
    }

    @CsvSource({"127, KUsageExtra,          has disallowed key usage bit (nonRepudiation) 6487#4.8.4", "217, KUsageDigitalSig,     has disallowed key usage bit (digitalSignature) 6487#4.8.4", "128, KUsageNoCertSign,     lacks bit for signing certificates 6487#4.8.4", "129, KUsageNoCrit,         key usage extension not critical 6487#4.8.4", "131, KUsageNoCRLSign,      lacks bit for signing CRLs 6487#4.8.4"})
    @ParameterizedTest(name = "{displayName} - {0} {1} {2}")
    public void shouldRejectCertificateWithIncorrectKeyUsageBits(String str, String str2, String str3) throws IOException {
        String format = String.format("root/badCert%s.cer", str2);
        Assertions.assertThat(parseCertificate(format)).isTrue().withFailMessage("Should reject certificate with " + str3 + " from " + format, new Object[0]);
    }

    @CsvSource({"218, ResourcesIP6Inherit, # (good) inherit IPv6 resources only, others explicit 6487#4.8.10", "219, ResourcesIP4Inherit, # (good) inherit IPv4 resources only, others explicit 6487#4.8.10", "220, ResourcesASInherit, # (good) inherit AS resources only, others explicit 6487#4.8.11", "221, ResourcesAllInherit, # (good) inherit all resources 6487#4.8.10", "222, ResourcesIP6InhOnly, # (good) inherit IPv6 resources only, others not present 6487#4.8.10", "223, ResourcesIP4InhOnly, # (good) inherit IPv4 resources only, others not present 6487#4.8.10", "224, ResourcesASInhOnly, # (good) inherit AS resources only, others not present 6487#4.8.11"})
    @ParameterizedTest(name = "{displayName} - {0} {1} {2}")
    public void shouldAcceptCertificateWithResourceExtension(String str, String str2, String str3) throws IOException {
        String format = String.format("root/goodCert%s.cer", str2);
        Assertions.assertThat(parseCertificate(format)).isFalse().withFailMessage("Should accept certificate with " + str3 + " from " + format, new Object[0]);
    }

    @CsvSource({"138, ResourcesASNoCrit, # AS number extension not critical 6487#4.8.11", "139, ResourcesBadAFI, # invalid IP address family 6487#4.8.10, IANA address-family-numbers", "140, ResourcesBadASOrder, # AS numbers out of order 3779 (but full set is pending)", "141, ResourcesBadV4Order, # IPv4 addresses out of order 3779 (but full set is pending)", "142, ResourcesBadV6Order, # IPv6 addresses out of order 3779 (but full set is pending)", "143, ResourcesIPNoCrit, # IP address extension not critical 6487#4.8.10", "144, ResourcesNone, # neither AS nor IP 3779 extensions 6487#4.8.10", "192, ResourcesIPEmpty, # empty set of IP addresses 6487#4.8.10", "193, ResourcesASEmpty, # empty set of AS numbers 6487#4.8.11", "145, ResourcesSAFI, # IP addresses has SAFI digit 6487#4.8.10"})
    @ParameterizedTest(name = "{displayName} - {0} {1} {2}")
    public void shouldRejectCertificateWithInvalidResourceExtension(String str, String str2, String str3) throws IOException {
        String format = String.format("root/badCert%s.cer", str2);
        Assertions.assertThatThrownBy(() -> {
            Assertions.assertThat(parseCertificate(format)).isFalse();
        }).isInstanceOfAny(new Class[]{IllegalArgumentException.class, IllegalStateException.class, AssertionError.class}).withFailMessage("Should reject certificate with " + str3 + " from " + format, new Object[0]);
    }

    private boolean certificateHasWarningOrFailure(String str) throws IOException {
        File file = new File(PATH_TO_BBN_OBJECTS, str);
        byte[] byteArray = Files.toByteArray(file);
        ValidationResult withLocation = ValidationResult.withLocation(file.getName());
        X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
        x509ResourceCertificateParser.parse(withLocation, byteArray);
        if (!withLocation.hasFailures()) {
            x509ResourceCertificateParser.getCertificate();
        }
        return withLocation.hasFailures() || withLocation.hasWarnings();
    }

    private boolean parseCertificate(String str) throws IOException {
        File file = new File(PATH_TO_BBN_OBJECTS, str);
        byte[] byteArray = Files.toByteArray(file);
        ValidationResult withLocation = ValidationResult.withLocation(file.getName());
        X509ResourceCertificateParser x509ResourceCertificateParser = new X509ResourceCertificateParser();
        x509ResourceCertificateParser.parse(withLocation, byteArray);
        if (!withLocation.hasFailures()) {
            x509ResourceCertificateParser.getCertificate();
        }
        return withLocation.hasFailures();
    }
}
