package org.graylog.security.certutil.csr;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import org.assertj.core.api.Assertions;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.graylog2.plugin.certificates.RenewalPolicy;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/graylog/security/certutil/csr/CsrSignerTest.class */
class CsrSignerTest {
    private static final X500Name subjectName = new X500Name("CN=Example Request");
    private static final Instant fixedInstant = Instant.parse("2023-09-28T12:50:00Z");
    private static final Clock fixedClock = Clock.fixed(fixedInstant, ZoneOffset.UTC);

    CsrSignerTest() {
    }

    @BeforeEach
    void setUp() {
        Security.addProvider(new BouncyCastleProvider());
    }

    private X509Certificate sign(String str) throws Exception {
        KeyPair createPrivateKey = createPrivateKey();
        X509Certificate createCert = createCert(createPrivateKey);
        return new CsrSigner(fixedClock).sign(createPrivateKey.getPrivate(), createCert, createCSR(createPrivateKey), new RenewalPolicy(RenewalPolicy.Mode.AUTOMATIC, str));
    }

    @Test
    void testSigningCertWithTwoHoursLifetime() throws Exception {
        X509Certificate sign = sign("PT2H");
        Assertions.assertThat(sign).isNotNull();
        Assertions.assertThat(sign.getNotAfter()).isEqualTo(fixedInstant.plus(2L, (TemporalUnit) ChronoUnit.HOURS));
    }

    @Test
    void testSigningCertWithSixMonthsLifetime() throws Exception {
        X509Certificate sign = sign("P6M");
        Assertions.assertThat(sign).isNotNull();
        Assertions.assertThat(sign.getNotAfter()).isEqualTo(fixedInstant.plus(180L, (TemporalUnit) ChronoUnit.DAYS));
    }

    private PKCS10CertificationRequest createCSR(KeyPair keyPair) throws OperatorCreationException {
        return new PKCS10CertificationRequestBuilder(subjectName, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())).build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
    }

    private X509Certificate createCert(KeyPair keyPair) throws OperatorCreationException, CertificateException {
        Date from = Date.from(Instant.now());
        Date from2 = Date.from(Instant.now().plus(365L, (TemporalUnit) ChronoUnit.DAYS));
        return new JcaX509CertificateConverter().setProvider("BC").getCertificate(new X509v3CertificateBuilder(subjectName, new BigInteger(128, new SecureRandom()), from, from2, subjectName, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())).build(new JcaContentSignerBuilder("SHA256WithRSA").setProvider("BC").build(keyPair.getPrivate())));
    }

    private KeyPair createPrivateKey() throws NoSuchAlgorithmException, NoSuchProviderException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(2048);
        return keyPairGenerator.generateKeyPair();
    }
}
