package net.ripe.rpki.commons.provisioning.cms;

import java.io.ByteArrayInputStream;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertStoreException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import net.ripe.rpki.commons.crypto.cms.RpkiSignedObject;
import net.ripe.rpki.commons.crypto.util.BouncyCastleUtil;
import net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil;
import net.ripe.rpki.commons.provisioning.ProvisioningObjectMother;
import net.ripe.rpki.commons.provisioning.payload.AbstractProvisioningPayload;
import net.ripe.rpki.commons.provisioning.payload.list.request.ResourceClassListQueryPayload;
import net.ripe.rpki.commons.provisioning.payload.list.request.ResourceClassListQueryPayloadBuilder;
import net.ripe.rpki.commons.provisioning.x509.ProvisioningCmsCertificateBuilderTest;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.CMSAttributes;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.cms.SignedData;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CRLHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignedDataParser;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
import org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import org.joda.time.DateTime;
import org.joda.time.DateTimeUtils;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/ripe/rpki/commons/provisioning/cms/ProvisioningCmsObjectBuilderTest.class */
public class ProvisioningCmsObjectBuilderTest {
    private ProvisioningCmsObject cmsObject;
    private long signingTime;
    private ProvisioningCmsObjectBuilder subject;
    private CMSSignedDataParser signedDataParser;

    @Before
    public void setUp() throws Exception {
        ResourceClassListQueryPayload build = new ResourceClassListQueryPayloadBuilder().build();
        this.subject = new ProvisioningCmsObjectBuilder();
        this.subject.withCmsCertificate(ProvisioningCmsCertificateBuilderTest.TEST_CMS_CERT.getCertificate());
        this.subject.withCrl(ProvisioningObjectMother.CRL);
        this.subject.withSignatureProvider("SunRsaSign");
        this.subject.withPayloadContent(build);
        this.signingTime = (new DateTime().getMillis() / 1000) * 1000;
        DateTimeUtils.setCurrentMillisFixed(this.signingTime);
        this.cmsObject = this.subject.build(ProvisioningCmsCertificateBuilderTest.EE_KEYPAIR.getPrivate());
        DateTimeUtils.setCurrentMillisSystem();
        this.signedDataParser = new CMSSignedDataParser(new BcDigestCalculatorProvider(), this.cmsObject.getEncoded());
        this.signedDataParser.getSignedContent().drain();
    }

    public static ProvisioningCmsObject createProvisioningCmsObjectForPayload(AbstractProvisioningPayload abstractProvisioningPayload) {
        ProvisioningCmsObjectBuilder provisioningCmsObjectBuilder = new ProvisioningCmsObjectBuilder();
        provisioningCmsObjectBuilder.withCmsCertificate(ProvisioningCmsCertificateBuilderTest.TEST_CMS_CERT.getCertificate());
        provisioningCmsObjectBuilder.withCrl(ProvisioningObjectMother.CRL);
        provisioningCmsObjectBuilder.withSignatureProvider("SunRsaSign");
        provisioningCmsObjectBuilder.withPayloadContent(abstractProvisioningPayload);
        return provisioningCmsObjectBuilder.build(ProvisioningCmsCertificateBuilderTest.EE_KEYPAIR.getPrivate());
    }

    @Test(expected = IllegalArgumentException.class)
    public void shouldForceCertificate() throws CMSException {
        this.subject.withCmsCertificate((X509Certificate) null);
        this.subject.build(ProvisioningCmsCertificateBuilderTest.EE_KEYPAIR.getPrivate());
    }

    @Test(expected = IllegalArgumentException.class)
    public void shouldForceCrl() throws CMSException {
        this.subject.withCrl((X509CRL) null);
        this.subject.build(ProvisioningCmsCertificateBuilderTest.EE_KEYPAIR.getPrivate());
    }

    @Test
    public void shouldNotForceIdentityCertificate() throws CMSException {
        this.subject.build(ProvisioningCmsCertificateBuilderTest.EE_KEYPAIR.getPrivate());
    }

    @Test
    public void shouldCmsObjectHaveCorrectVersionNumber() throws Exception {
        Assert.assertEquals(3L, this.signedDataParser.getVersion());
    }

    @Test
    public void shouldCmsObjectHaveCorrectDigestAlgorithm() throws Exception {
        Assert.assertEquals(CMSSignedGenerator.DIGEST_SHA256, AlgorithmIdentifier.getInstance(SignedData.getInstance(ContentInfo.getInstance(new ASN1InputStream(new ByteArrayInputStream(this.cmsObject.getEncoded())).readObject()).getContent()).getDigestAlgorithms().getObjectAt(0).toASN1Primitive()).getAlgorithm().getId());
    }

    @Test
    public void shouldCmsObjectHaveCorrectContentType() throws Exception {
        Assert.assertEquals(new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.1.28"), this.signedDataParser.getSignedContent().getContentType());
    }

    @Test
    public void shouldCmsObjectHaveEmbeddedSigningCertificate() throws Exception {
        Collection<? extends X509CertificateHolder> certificates = getCertificates();
        Assert.assertNotNull(certificates);
        Assert.assertEquals("size", 1L, certificates.size());
        Assert.assertEquals(new JcaX509CertificateHolder(ProvisioningCmsCertificateBuilderTest.TEST_CMS_CERT.getCertificate()), certificates.iterator().next());
    }

    private Collection<? extends X509CertificateHolder> getCertificates() throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, CertStoreException {
        return this.signedDataParser.getCertificates().getMatches(new BouncyCastleUtil.X509CertificateHolderStoreSelector());
    }

    @Test
    public void shouldCmsObjectHaveEmbeddedCrl() throws Exception {
        Collection matches = this.signedDataParser.getCRLs().getMatches(new BouncyCastleUtil.X509CRLHolderStoreSelector());
        Assert.assertNotNull(matches);
        Assert.assertFalse(matches.isEmpty());
        Assert.assertEquals(new JcaX509CRLHolder(ProvisioningObjectMother.CRL), matches.iterator().next());
    }

    @Test
    public void shouldCmsObjectHaveOnlyOneSigner() throws Exception {
        Assert.assertNotNull(this.signedDataParser.getSignerInfos().getSigners());
        Assert.assertEquals(1L, r0.size());
    }

    @Test
    public void shouldCmsObjectSignerVersionBeCorrect() throws Exception {
        Assert.assertEquals(3L, ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getVersion());
    }

    @Test
    public void shouldCmsObjectHaveCorrectSubjectKeyIdentifier() throws Exception {
        Assert.assertArrayEquals(X509CertificateUtil.getSubjectKeyIdentifier(ProvisioningCmsCertificateBuilderTest.TEST_CMS_CERT.getCertificate()), ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSID().getSubjectKeyIdentifier());
    }

    @Test
    public void shouldCmsObjectHaveSubjectKeyIdentifierOnly() throws Exception {
        SignerInformation signerInformation = (SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next();
        Assert.assertNull(signerInformation.getSID().getIssuer());
        Assert.assertNull(signerInformation.getSID().getSerialNumber());
    }

    @Test
    public void shouldCmsObjectHaveCorrectDigestAlgorithmOID() throws Exception {
        Assert.assertEquals(CMSSignedGenerator.DIGEST_SHA256, ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getDigestAlgOID());
    }

    @Test
    public void shouldCmsObjectHaveSignedAttributes() throws Exception {
        Assert.assertNotNull(((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSignedAttributes());
    }

    @Test
    public void shouldCmsObjectHaveCorrectContentTypeSignedAttribute() throws Exception {
        Attribute attribute = ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSignedAttributes().get(CMSAttributes.contentType);
        Assert.assertNotNull(attribute);
        Assert.assertEquals(1L, attribute.getAttrValues().size());
        Assert.assertEquals(new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.1.28"), attribute.getAttrValues().getObjectAt(0));
    }

    @Test
    public void shouldCmsObjectHaveCorrectMessageDigestSignedAttribute() throws Exception {
        Attribute attribute = ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSignedAttributes().get(CMSAttributes.messageDigest);
        Assert.assertNotNull(attribute);
        Assert.assertEquals(1L, attribute.getAttrValues().size());
        Assert.assertNotNull(attribute.getAttrValues().getObjectAt(0));
    }

    @Test
    public void shouldCmsObjectHaveSigningTimeSignedAttribute() throws Exception {
        Attribute attribute = ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSignedAttributes().get(CMSAttributes.signingTime);
        Assert.assertNotNull(attribute);
        Assert.assertEquals(1L, attribute.getAttrValues().size());
        Assert.assertEquals(this.signingTime, attribute.getAttrValues().getObjectAt(0).getDate().getTime());
    }

    @Test
    public void shouldCmsObjectHaveNoBinarySigningTimeSignedAttribute() throws Exception {
        Assert.assertNull(((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getSignedAttributes().get(new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.2.46")));
    }

    @Test
    public void shouldCmsObjectHaveRSASignatureAlgorithm() throws Exception {
        Assert.assertEquals(RpkiSignedObject.SHA256WITHRSA_ENCRYPTION_OID, ((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getEncryptionAlgOID());
    }

    @Test
    public void shouldCmsObjectHaveValidSignature() throws Exception {
        SignerInformation signerInformation = (SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next();
        Assert.assertNotNull(signerInformation.getSignature());
        Assert.assertTrue("signature verify", signerInformation.verify(new JcaSignerInfoVerifierBuilder(BouncyCastleUtil.DIGEST_CALCULATOR_PROVIDER).build(ProvisioningCmsCertificateBuilderTest.TEST_CMS_CERT.getCertificate())));
    }

    @Test
    public void shouldCmsObjectHaveNoUnsignedAttribute() throws Exception {
        Assert.assertNull(((SignerInformation) this.signedDataParser.getSignerInfos().getSigners().iterator().next()).getUnsignedAttributes());
    }
}
