package org.apache.brooklyn.util.jmx.jmxmp;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.LinkedHashMap;
import java.util.Properties;
import javax.management.remote.JMXConnectorServer;
import org.apache.brooklyn.util.core.crypto.FluentKeySigner;
import org.apache.brooklyn.util.core.crypto.SecureKeys;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/brooklyn/util/jmx/jmxmp/JmxmpAgentSslTest.class */
public class JmxmpAgentSslTest {
    KeyPair caRootKey;
    FluentKeySigner caRootSigner;
    X509Certificate caRootCert;
    KeyPair caChildKey;
    X509Certificate caChildCert;
    FluentKeySigner caChildSigner;
    KeyPair grandchildKey;
    X509Certificate grandchildCert;
    KeyPair child2Key;
    X509Certificate child2Cert;
    KeyPair selfSign1Key;
    X509Certificate selfSign1Cert;
    KeyPair selfSign2Key;
    X509Certificate selfSign2Cert;
    KeyStore serverKeystore;
    KeyStore serverTruststore;
    KeyStore clientTruststore;
    KeyStore clientKeystore;
    JMXConnectorServer server;

    @BeforeMethod
    public void setup() throws Exception {
        this.caRootSigner = new FluentKeySigner("ca-root").ca(0).selfsign();
        this.caRootKey = this.caRootSigner.getKey();
        this.caRootCert = this.caRootSigner.getAuthorityCertificate();
        this.caChildKey = SecureKeys.newKeyPair();
        this.caChildCert = this.caRootSigner.newCertificateFor("ca-child", this.caChildKey);
        this.caChildSigner = new FluentKeySigner("ca-child", this.caChildKey).authorityKeyIdentifier(new AuthorityKeyIdentifierStructure(this.caChildCert));
        this.grandchildKey = SecureKeys.newKeyPair();
        this.grandchildCert = this.caChildSigner.newCertificateFor("grandchild", this.grandchildKey);
        this.child2Key = SecureKeys.newKeyPair();
        this.child2Cert = this.caRootSigner.newCertificateFor("child-2", this.child2Key);
        this.selfSign1Key = SecureKeys.newKeyPair();
        this.selfSign1Cert = new FluentKeySigner("self-1", this.selfSign1Key).newCertificateFor("self-1", this.selfSign1Key);
        this.selfSign2Key = SecureKeys.newKeyPair();
        this.selfSign2Cert = new FluentKeySigner("self-2", this.selfSign2Key).newCertificateFor("self-2", this.selfSign2Key);
        this.serverKeystore = KeyStore.getInstance(KeyStore.getDefaultType());
        this.serverKeystore.load(null, null);
        this.serverTruststore = KeyStore.getInstance(KeyStore.getDefaultType());
        this.serverTruststore.load(null, null);
        this.clientTruststore = KeyStore.getInstance(KeyStore.getDefaultType());
        this.clientTruststore.load(null, null);
        this.clientKeystore = KeyStore.getInstance(KeyStore.getDefaultType());
        this.clientKeystore.load(null, null);
    }

    @AfterMethod
    public void teardown() throws Exception {
        if (this.server != null) {
            this.server.stop();
        }
        this.server = null;
    }

    private Properties saveStoresAndGetConnectorProperties() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, FileNotFoundException {
        String absolutePath = File.createTempFile("server-keystore", ".jmx.test").getAbsolutePath();
        String absolutePath2 = File.createTempFile("server-truststore", ".jmx.test").getAbsolutePath();
        if (this.serverKeystore != null) {
            this.serverKeystore.store(new FileOutputStream(absolutePath), new char[0]);
        }
        if (this.serverTruststore != null) {
            this.serverTruststore.store(new FileOutputStream(absolutePath2), new char[0]);
        }
        Properties properties = new Properties();
        properties.put("brooklyn.jmxmp.ssl.keyStore", absolutePath);
        properties.put("brooklyn.jmxmp.ssl.trustStore", absolutePath2);
        properties.put("com.sun.management.jmxremote.ssl", "true");
        properties.put("brooklyn.jmxmp.ssl.authenticate", "true");
        return properties;
    }

    @Test
    public void testNoAuth() throws Exception {
        this.serverKeystore = null;
        this.serverTruststore = null;
        this.clientKeystore = null;
        this.clientTruststore = null;
        Properties saveStoresAndGetConnectorProperties = saveStoresAndGetConnectorProperties();
        saveStoresAndGetConnectorProperties.put("com.sun.management.jmxremote.ssl", "false");
        saveStoresAndGetConnectorProperties.put("brooklyn.jmxmp.ssl.authenticate", "false");
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties);
        new JmxmpClient().connect("service:jmx:jmxmp://localhost:11099", new LinkedHashMap());
    }

    @Test(expectedExceptions = {IllegalStateException.class})
    public void testAuthWithoutSslFails() throws Exception {
        this.serverKeystore = null;
        this.serverTruststore = null;
        this.clientKeystore = null;
        this.clientTruststore = null;
        Properties saveStoresAndGetConnectorProperties = saveStoresAndGetConnectorProperties();
        saveStoresAndGetConnectorProperties.put("com.sun.management.jmxremote.ssl", "false");
        saveStoresAndGetConnectorProperties.put("brooklyn.jmxmp.ssl.authenticate", "true");
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties);
        new JmxmpClient().connect("service:jmx:jmxmp://localhost:11099", new LinkedHashMap());
    }

    @Test(groups = {"Integration"})
    public void testAllGoodSignatures() throws Exception {
        this.serverKeystore.setKeyEntry("child-2", this.child2Key.getPrivate(), new char[0], new Certificate[]{this.child2Cert, this.caRootCert});
        this.serverTruststore.setCertificateEntry("ca-child", this.caChildCert);
        this.clientKeystore.setKeyEntry("grandchild", this.grandchildKey.getPrivate(), new char[0], new Certificate[]{this.grandchildCert});
        this.clientTruststore.setCertificateEntry("ca-root", this.caRootCert);
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties());
        new JmxmpClient().connectTls("service:jmx:jmxmp://localhost:11099", this.clientKeystore, "", this.clientTruststore);
    }

    @Test(expectedExceptions = {Exception.class})
    public void testWrongServerKey() throws Exception {
        this.serverKeystore.setKeyEntry("self-1", this.selfSign1Key.getPrivate(), new char[0], new Certificate[]{this.selfSign1Cert});
        this.serverTruststore.setCertificateEntry("ca-child", this.caChildCert);
        this.clientKeystore.setKeyEntry("grandchild", this.grandchildKey.getPrivate(), new char[0], new Certificate[]{this.grandchildCert});
        this.clientTruststore.setCertificateEntry("ca-root", this.caRootCert);
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties());
        new JmxmpClient().connectTls("service:jmx:jmxmp://localhost:11099", this.clientKeystore, "", this.clientTruststore);
    }

    @Test(expectedExceptions = {Exception.class})
    public void testLyingServerChain() throws Exception {
        this.serverKeystore.setKeyEntry("self-1", this.selfSign1Key.getPrivate(), new char[0], new Certificate[]{this.selfSign1Cert, this.caChildCert});
        this.serverTruststore.setCertificateEntry("ca-child", this.caChildCert);
        this.clientKeystore.setKeyEntry("grandchild", this.grandchildKey.getPrivate(), new char[0], new Certificate[]{this.grandchildCert, this.caChildCert});
        this.clientTruststore.setCertificateEntry("ca-root", this.caRootCert);
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties());
        new JmxmpClient().connectTls("service:jmx:jmxmp://localhost:11099", this.clientKeystore, "", this.clientTruststore);
    }

    @Test(expectedExceptions = {Exception.class})
    public void testWrongClientKey() throws Exception {
        this.serverKeystore.setKeyEntry("child-2", this.child2Key.getPrivate(), new char[0], new Certificate[]{this.child2Cert, this.caRootCert});
        this.serverTruststore.setCertificateEntry("ca-child", this.caChildCert);
        this.clientKeystore.setKeyEntry("self-1", this.selfSign1Key.getPrivate(), new char[0], new Certificate[]{this.selfSign1Cert});
        this.clientTruststore.setCertificateEntry("ca-root", this.caRootCert);
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties());
        new JmxmpClient().connectTls("service:jmx:jmxmp://localhost:11099", this.clientKeystore, "", this.clientTruststore);
    }

    @Test(expectedExceptions = {Exception.class})
    public void testLyingClientChain() throws Exception {
        this.serverKeystore.setKeyEntry("child-2", this.child2Key.getPrivate(), new char[0], new Certificate[]{this.child2Cert, this.caRootCert});
        this.serverTruststore.setCertificateEntry("ca-child", this.caChildCert);
        this.clientKeystore.setKeyEntry("self-1", this.selfSign1Key.getPrivate(), new char[0], new Certificate[]{this.selfSign1Cert, this.caChildCert});
        this.clientTruststore.setCertificateEntry("ca-root", this.caRootCert);
        this.server = new JmxmpAgent().startJmxmpConnector(saveStoresAndGetConnectorProperties());
        new JmxmpClient().connectTls("service:jmx:jmxmp://localhost:11099", this.clientKeystore, "", this.clientTruststore);
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
