package org.pgpainless.key.modification;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.Iterator;
import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPSecretKey;
import org.bouncycastle.openpgp.PGPSecretKeyRing;
import org.bouncycastle.openpgp.operator.bc.BcPBESecretKeyDecryptorBuilder;
import org.bouncycastle.openpgp.operator.bc.BcPGPDigestCalculatorProvider;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.MethodSource;
import org.pgpainless.PGPainless;
import org.pgpainless.algorithm.DocumentSignatureType;
import org.pgpainless.algorithm.SymmetricKeyAlgorithm;
import org.pgpainless.encryption_signing.EncryptionStream;
import org.pgpainless.encryption_signing.ProducerOptions;
import org.pgpainless.encryption_signing.SigningOptions;
import org.pgpainless.implementation.ImplementationFactory;
import org.pgpainless.key.protection.KeyRingProtectionSettings;
import org.pgpainless.key.protection.PasswordBasedSecretKeyRingProtector;
import org.pgpainless.key.protection.UnlockSecretKey;
import org.pgpainless.util.Passphrase;
import org.pgpainless.util.StreamUtil;

/* loaded from: input_file:org/pgpainless/key/modification/ChangeSecretKeyRingPassphraseTest.class */
public class ChangeSecretKeyRingPassphraseTest {
    private final PGPSecretKeyRing keyRing = PGPainless.generateKeyRing().simpleEcKeyRing("password@encryp.ted", "weakPassphrase");

    @MethodSource({"org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories"})
    @ParameterizedTest
    public void changePassphraseOfWholeKeyRingTest(ImplementationFactory implementationFactory) throws PGPException {
        ImplementationFactory.setFactoryImplementation(implementationFactory);
        PGPSecretKeyRing done = PGPainless.modifyKeyRing(this.keyRing).changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")).withSecureDefaultSettings().toNewPassphrase(Passphrase.fromPassword("1337p455phr453")).done();
        Assertions.assertEquals(KeyRingProtectionSettings.secureDefaultSettings().getEncryptionAlgorithm().getAlgorithmId(), done.getSecretKey().getKeyEncryptionAlgorithm());
        Assertions.assertThrows(PGPException.class, () -> {
            signDummyMessageWithKeysAndPassphrase(done, Passphrase.emptyPassphrase());
        }, "Unlocking secret key ring with empty passphrase MUST fail.");
        Assertions.assertThrows(PGPException.class, () -> {
            signDummyMessageWithKeysAndPassphrase(done, Passphrase.fromPassword("weakPassphrase"));
        }, "Unlocking secret key ring with old passphrase MUST fail.");
        Assertions.assertDoesNotThrow(() -> {
            signDummyMessageWithKeysAndPassphrase(done, Passphrase.fromPassword("1337p455phr453"));
        }, "Unlocking the secret key ring with the new passphrase MUST succeed.");
    }

    @MethodSource({"org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories"})
    @ParameterizedTest
    public void changePassphraseOfWholeKeyRingToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException, IOException {
        ImplementationFactory.setFactoryImplementation(implementationFactory);
        PGPSecretKeyRing done = PGPainless.modifyKeyRing(this.keyRing).changePassphraseFromOldPassphrase(Passphrase.fromPassword("weakPassphrase")).withSecureDefaultSettings().toNoPassphrase().done();
        Assertions.assertEquals(SymmetricKeyAlgorithm.NULL.getAlgorithmId(), done.getSecretKey().getKeyEncryptionAlgorithm());
        signDummyMessageWithKeysAndPassphrase(done, Passphrase.emptyPassphrase());
    }

    @MethodSource({"org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories"})
    @ParameterizedTest
    public void changePassphraseOfSingleSubkeyToNewPassphrase(ImplementationFactory implementationFactory) throws PGPException {
        ImplementationFactory.setFactoryImplementation(implementationFactory);
        Iterator secretKeys = this.keyRing.getSecretKeys();
        PGPSecretKey pGPSecretKey = (PGPSecretKey) secretKeys.next();
        PGPSecretKey pGPSecretKey2 = (PGPSecretKey) secretKeys.next();
        extractPrivateKey(pGPSecretKey, Passphrase.fromPassword("weakPassphrase"));
        extractPrivateKey(pGPSecretKey2, Passphrase.fromPassword("weakPassphrase"));
        Iterator secretKeys2 = PGPainless.modifyKeyRing(this.keyRing).changeSubKeyPassphraseFromOldPassphrase(Long.valueOf(pGPSecretKey2.getPublicKey().getKeyID()), Passphrase.fromPassword("weakPassphrase")).withSecureDefaultSettings().toNewPassphrase(Passphrase.fromPassword("subKeyPassphrase")).done().getSecretKeys();
        PGPSecretKey pGPSecretKey3 = (PGPSecretKey) secretKeys2.next();
        PGPSecretKey pGPSecretKey4 = (PGPSecretKey) secretKeys2.next();
        extractPrivateKey(pGPSecretKey3, Passphrase.fromPassword("weakPassphrase"));
        extractPrivateKey(pGPSecretKey4, Passphrase.fromPassword("subKeyPassphrase"));
        Assertions.assertThrows(PGPException.class, () -> {
            extractPrivateKey(pGPSecretKey3, Passphrase.fromPassword("subKeyPassphrase"));
        }, "Unlocking the primary key with the subkey passphrase must fail.");
        Assertions.assertThrows(PGPException.class, () -> {
            extractPrivateKey(pGPSecretKey4, Passphrase.fromPassword("weakPassphrase"));
        }, "Unlocking the subkey with the primary key passphrase must fail.");
    }

    @MethodSource({"org.pgpainless.util.TestImplementationFactoryProvider#provideImplementationFactories"})
    @ParameterizedTest
    public void changePassphraseOfSingleSubkeyToEmptyPassphrase(ImplementationFactory implementationFactory) throws PGPException {
        ImplementationFactory.setFactoryImplementation(implementationFactory);
        Iterator secretKeys = this.keyRing.getSecretKeys();
        PGPSecretKey pGPSecretKey = (PGPSecretKey) secretKeys.next();
        Iterator secretKeys2 = PGPainless.modifyKeyRing(this.keyRing).changeSubKeyPassphraseFromOldPassphrase(Long.valueOf(pGPSecretKey.getKeyID()), Passphrase.fromPassword("weakPassphrase")).withSecureDefaultSettings().toNoPassphrase().done().getSecretKeys();
        PGPSecretKey pGPSecretKey2 = (PGPSecretKey) secretKeys2.next();
        PGPSecretKey pGPSecretKey3 = (PGPSecretKey) secretKeys2.next();
        extractPrivateKey(pGPSecretKey2, Passphrase.emptyPassphrase());
        extractPrivateKey(pGPSecretKey3, Passphrase.fromPassword("weakPassphrase"));
        Assertions.assertThrows(PGPException.class, () -> {
            extractPrivateKey(pGPSecretKey2, Passphrase.fromPassword("weakPassphrase"));
        }, "Unlocking the unprotected primary key with the old passphrase must fail.");
        Assertions.assertThrows(PGPException.class, () -> {
            extractPrivateKey(pGPSecretKey3, Passphrase.emptyPassphrase());
        }, "Unlocking the still protected subkey with an empty passphrase must fail.");
    }

    private void extractPrivateKey(PGPSecretKey pGPSecretKey, Passphrase passphrase) throws PGPException {
        BcPGPDigestCalculatorProvider bcPGPDigestCalculatorProvider = new BcPGPDigestCalculatorProvider();
        if (passphrase.isEmpty() && pGPSecretKey.getKeyEncryptionAlgorithm() != SymmetricKeyAlgorithm.NULL.getAlgorithmId()) {
            throw new PGPException("Cannot unlock encrypted private key with empty passphrase.");
        }
        if (!passphrase.isEmpty() && pGPSecretKey.getKeyEncryptionAlgorithm() == SymmetricKeyAlgorithm.NULL.getAlgorithmId()) {
            throw new PGPException("Cannot unlock unprotected private key with non-empty passphrase.");
        }
        UnlockSecretKey.unlockSecretKey(pGPSecretKey, passphrase.isEmpty() ? null : new BcPBESecretKeyDecryptorBuilder(bcPGPDigestCalculatorProvider).build(passphrase.getChars()));
    }

    private void signDummyMessageWithKeysAndPassphrase(PGPSecretKeyRing pGPSecretKeyRing, Passphrase passphrase) throws IOException, PGPException {
        EncryptionStream withOptions = PGPainless.encryptAndOrSign().onOutputStream(new ByteArrayOutputStream()).withOptions(ProducerOptions.sign(SigningOptions.get().addInlineSignature(PasswordBasedSecretKeyRingProtector.forKey(pGPSecretKeyRing, passphrase), pGPSecretKeyRing, DocumentSignatureType.BINARY_DOCUMENT)));
        StreamUtil.pipeAll(new ByteArrayInputStream("dummy".getBytes()), withOptions);
        withOptions.close();
    }
}
