package org.apache.brooklyn.util.core.crypto;

import com.google.common.io.Files;
import java.io.File;
import java.nio.charset.Charset;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.apache.brooklyn.util.core.ResourceUtils;
import org.apache.brooklyn.util.core.crypto.SecureKeys;
import org.apache.brooklyn.util.crypto.AuthorizedKeysParser;
import org.apache.brooklyn.util.os.Os;
import org.apache.brooklyn.util.stream.Streams;
import org.testng.Assert;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/brooklyn/util/core/crypto/SecureKeysAndSignerTest.class */
public class SecureKeysAndSignerTest {
    @Test(groups = {"Integration"})
    public void testGenerateSignedKeys() throws Exception {
        FluentKeySigner selfsign = new FluentKeySigner("the-root").validForYears(2L).selfsign();
        X509Certificate authorityCertificate = selfsign.getAuthorityCertificate();
        X509Certificate newCertificateFor = selfsign.newCertificateFor("A", SecureKeys.newKeyPair());
        X509Certificate newCertificateFor2 = selfsign.newCertificateFor("B", SecureKeys.newKeyPair());
        X509Certificate authorityCertificate2 = new FluentKeySigner("self1").selfsign().getAuthorityCertificate();
        SecureKeys.getTrustManager(newCertificateFor).checkClientTrusted(new X509Certificate[]{newCertificateFor}, "RSA");
        SecureKeys.getTrustManager(authorityCertificate).checkClientTrusted(new X509Certificate[]{authorityCertificate}, "RSA");
        try {
            SecureKeys.getTrustManager(newCertificateFor).checkClientTrusted(new X509Certificate[]{newCertificateFor2}, "RSA");
            Assert.fail("Trust manager for A should not accept B");
        } catch (CertificateException e) {
        }
        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(authorityCertificate, authorityCertificate, false));
        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(newCertificateFor, authorityCertificate, false));
        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(newCertificateFor2, authorityCertificate, false));
        Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(authorityCertificate, newCertificateFor));
        Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(newCertificateFor2, newCertificateFor));
        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(authorityCertificate2, authorityCertificate2, false));
        Assert.assertFalse(SecureKeys.isCertificateAuthorizedBy(authorityCertificate2, authorityCertificate));
    }

    @Test
    public void testInjectCertificateAuthority() throws Exception {
        KeyPair newKeyPair = SecureKeys.newKeyPair();
        X509Certificate authorityCertificate = new FluentKeySigner("the-root", newKeyPair).ca(0).selfsign().getAuthorityCertificate();
        FluentKeySigner fluentKeySigner = new FluentKeySigner(authorityCertificate, newKeyPair);
        Assert.assertEquals("the-root", fluentKeySigner.getCommonName());
        Assert.assertTrue(SecureKeys.isCertificateAuthorizedBy(fluentKeySigner.newCertificateFor("A", SecureKeys.newKeyPair()), authorityCertificate, false));
    }

    @Test
    public void testReadRsaKey() throws Exception {
        checkNonTrivial(readPem("classpath://brooklyn/util/crypto/sample_rsa.pem", null));
    }

    @Test(expectedExceptions = {IllegalStateException.class})
    public void testReadRsaPublicKeyAsPemFails() throws Exception {
        readPem("classpath://brooklyn/util/crypto/sample_rsa.pem.pub", null);
    }

    @Test
    public void testReadRsaPublicKeyAsAuthKeysWorks() throws Exception {
        Assert.assertEquals(AuthorizedKeysParser.decodePublicKey(ResourceUtils.create(this).getResourceAsString("classpath://brooklyn/util/crypto/sample_rsa.pem.pub")), readPem("classpath://brooklyn/util/crypto/sample_rsa.pem", null).getPublic());
    }

    @Test
    public void testEncodeDecodeRsaPublicKey() throws Exception {
        String resourceAsString = ResourceUtils.create(this).getResourceAsString("classpath://brooklyn/util/crypto/sample_rsa.pem.pub");
        PublicKey decodePublicKey = AuthorizedKeysParser.decodePublicKey(resourceAsString);
        String encodePublicKey = AuthorizedKeysParser.encodePublicKey(decodePublicKey);
        Assert.assertTrue(resourceAsString.contains(encodePublicKey), "Expected to find '" + encodePublicKey + "' in '" + resourceAsString + "'");
        Assert.assertEquals(AuthorizedKeysParser.decodePublicKey(encodePublicKey), decodePublicKey);
    }

    @Test
    public void testEncodeDecodeDsaPublicKey() throws Exception {
        String resourceAsString = ResourceUtils.create(this).getResourceAsString("classpath://brooklyn/util/crypto/sample_dsa.pem.pub");
        PublicKey decodePublicKey = AuthorizedKeysParser.decodePublicKey(resourceAsString);
        String encodePublicKey = AuthorizedKeysParser.encodePublicKey(decodePublicKey);
        Assert.assertTrue(resourceAsString.contains(encodePublicKey), "Expected to find '" + encodePublicKey + "' in '" + resourceAsString + "'");
        Assert.assertEquals(AuthorizedKeysParser.decodePublicKey(encodePublicKey), decodePublicKey);
    }

    @Test
    public void testReadDsaKey() throws Exception {
        checkNonTrivial(readPem("classpath://brooklyn/util/crypto/sample_dsa.pem", null));
    }

    @Test(expectedExceptions = {Exception.class})
    public void testCantReadRsaPassphraseKeyWithoutPassphrase() throws Exception {
        checkNonTrivial(readPem("classpath://brooklyn/util/crypto/sample_rsa_passphrase.pem", null));
    }

    @Test(expectedExceptions = {SecureKeys.PassphraseProblem.class})
    public void testReadRsaPassphraseWithoutKeyFails() throws Exception {
        readPem("classpath://brooklyn/util/crypto/sample_rsa_passphrase.pem", null);
    }

    @Test
    public void testReadRsaPassphraseKeyAndWriteWithoutPassphrase() throws Exception {
        KeyPair readPem = readPem("classpath://brooklyn/util/crypto/sample_rsa_passphrase.pem", "passphrase");
        checkNonTrivial(readPem);
        File newTempFile = Os.newTempFile(getClass(), "brooklyn-sample_rsa_passphrase_without_passphrase.pem");
        Files.write(SecureKeys.toPem(readPem), newTempFile, Charset.defaultCharset());
        KeyPair readPem2 = readPem(newTempFile.toURI().toString(), null);
        checkNonTrivial(readPem2);
        Assert.assertEquals(readPem2.getPrivate().getEncoded(), readPem.getPrivate().getEncoded());
        Assert.assertEquals(readPem2.getPublic().getEncoded(), readPem.getPublic().getEncoded());
    }

    private void checkNonTrivial(KeyPair keyPair) {
        Assert.assertNotEquals(Integer.valueOf(keyPair.getPrivate().getEncoded().length), 0);
        Assert.assertNotEquals(Integer.valueOf(keyPair.getPublic().getEncoded().length), 0);
    }

    private KeyPair readPem(String str, String str2) {
        return SecureKeys.readPem(Streams.readFullyAndClose(ResourceUtils.create(this).getResourceFromUrl(str)), str2);
    }
}
