package io.netty.pkitesting;

import io.netty.pkitesting.CertificateBuilder;
import io.netty.util.internal.PlatformDependent;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertSelector;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.OptionalInt;
import java.util.Set;
import java.util.TreeSet;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.condition.EnabledForJreRange;
import org.junit.jupiter.api.condition.JRE;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.EnumSource;

/* loaded from: input_file:io/netty/pkitesting/CertificateBuilderTest.class */
class CertificateBuilderTest {
    private static final Instant NOW = Instant.now();
    private static final String SUBJECT = "CN=netty.io, O=Netty";
    private static final CertificateBuilder BASE = new CertificateBuilder().notBefore(NOW.minus(1L, (TemporalUnit) ChronoUnit.DAYS)).notAfter(NOW.plus(1L, (TemporalUnit) ChronoUnit.DAYS)).subject(SUBJECT);
    private static final SecureRandom RNG = new SecureRandom();

    CertificateBuilderTest() {
    }

    @EnumSource
    @ParameterizedTest
    void createCertOfEveryKeyType(CertificateBuilder.Algorithm algorithm) throws Exception {
        Assumptions.assumeTrue((algorithm == CertificateBuilder.Algorithm.rsa4096 || algorithm == CertificateBuilder.Algorithm.rsa8192) ? false : true);
        Assumptions.assumeTrue(algorithm.isSupported());
        Assumptions.assumeTrue(algorithm.supportSigning());
        X509Bundle buildSelfSigned = BASE.copy().algorithm(algorithm).setIsCertificateAuthority(true).buildSelfSigned();
        X509Certificate certificate = buildSelfSigned.getCertificate();
        Assertions.assertTrue(buildSelfSigned.isCertificateAuthority());
        Assertions.assertTrue(buildSelfSigned.isSelfSigned());
        org.assertj.core.api.Assertions.assertThat(certificate.getSubjectX500Principal()).isEqualTo(new X500Principal(SUBJECT));
    }

    @EnumSource
    @ParameterizedTest
    void createKeyPairOfEveryKeyType(CertificateBuilder.Algorithm algorithm) throws Exception {
        Assumptions.assumeTrue((algorithm == CertificateBuilder.Algorithm.rsa4096 || algorithm == CertificateBuilder.Algorithm.rsa8192) ? false : true);
        Assumptions.assumeTrue(algorithm.isSupported());
        KeyPair generateKeyPair = algorithm.generateKeyPair(RNG);
        Assertions.assertNotNull(generateKeyPair);
        Assertions.assertNotNull(generateKeyPair.getPrivate());
        Assertions.assertNotNull(generateKeyPair.getPublic());
    }

    @EnabledForJreRange(min = JRE.JAVA_24, disabledReason = "ML-KEM is only supported in Java 24 onwards")
    @EnumSource(names = {"mlKem512", "mlKem768", "mlKem1024"})
    @ParameterizedTest
    void createMlKemCerts(CertificateBuilder.Algorithm algorithm) throws Exception {
        CertificateBuilder algorithm2 = BASE.copy().algorithm(algorithm);
        Assertions.assertThrows(IllegalStateException.class, () -> {
            algorithm2.copy().setIsCertificateAuthority(true).buildSelfSigned();
        });
        CertificateBuilder algorithm3 = BASE.copy().algorithm(CertificateBuilder.Algorithm.mlDsa44);
        X509Bundle buildIssuedBy = algorithm2.buildIssuedBy(algorithm3.subject("CN=issuer.netty.io, O=Netty").setIsCertificateAuthority(true).buildSelfSigned());
        X509Certificate certificate = buildIssuedBy.getCertificate();
        Assertions.assertFalse(buildIssuedBy.isCertificateAuthority());
        Assertions.assertFalse(buildIssuedBy.isSelfSigned());
        org.assertj.core.api.Assertions.assertThat(certificate.getSubjectX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        org.assertj.core.api.Assertions.assertThat((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            algorithm3.buildIssuedBy(buildIssuedBy);
        })).hasMessageContaining("cannot be used for signing");
    }

    @Test
    void createCertIssuedBySameAlgorithm() throws Exception {
        CertificateBuilder ecp256 = BASE.copy().ecp256();
        X509Bundle buildSelfSigned = ecp256.copy().setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setIsCertificateAuthority(true).buildSelfSigned();
        X509Bundle buildIssuedBy = ecp256.copy().subject("CN=leaf.netty.io, O=Netty").buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getSubjectX500Principal()).isEqualTo(new X500Principal("CN=leaf.netty.io, O=Netty"));
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getIssuerX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        Signature signature = Signature.getInstance(buildIssuedBy.getCertificate().getSigAlgName());
        signature.initVerify(buildSelfSigned.getCertificate());
        signature.update(buildIssuedBy.getCertificate().getTBSCertificate());
        Assertions.assertTrue(signature.verify(buildIssuedBy.getCertificate().getSignature()));
    }

    @Test
    void createCertIssuedByDifferentAlgorithmEcp384vsEcp256() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().algorithm(CertificateBuilder.Algorithm.ecp384).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setIsCertificateAuthority(true).buildSelfSigned();
        X509Bundle buildIssuedBy = BASE.copy().ecp256().subject("CN=leaf.netty.io, O=Netty").buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getSubjectX500Principal()).isEqualTo(new X500Principal("CN=leaf.netty.io, O=Netty"));
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getIssuerX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        Signature signature = Signature.getInstance(buildIssuedBy.getCertificate().getSigAlgName());
        signature.initVerify(buildSelfSigned.getCertificate());
        signature.update(buildIssuedBy.getCertificate().getTBSCertificate());
        Assertions.assertTrue(signature.verify(buildIssuedBy.getCertificate().getSignature()));
    }

    @Test
    void createCertIssuedByDifferentAlgorithmEcp256vsRsa2048() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().ecp256().setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setIsCertificateAuthority(true).buildSelfSigned();
        X509Bundle buildIssuedBy = BASE.copy().rsa2048().subject("CN=leaf.netty.io, O=Netty").buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getSubjectX500Principal()).isEqualTo(new X500Principal("CN=leaf.netty.io, O=Netty"));
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getIssuerX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        Signature signature = Signature.getInstance(buildIssuedBy.getCertificate().getSigAlgName());
        signature.initVerify(buildSelfSigned.getCertificate());
        signature.update(buildIssuedBy.getCertificate().getTBSCertificate());
        Assertions.assertTrue(signature.verify(buildIssuedBy.getCertificate().getSignature()));
    }

    @Test
    void createCertIssuedByDifferentAlgorithmEd25519vEcp256() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().algorithm(CertificateBuilder.Algorithm.ed25519).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setIsCertificateAuthority(true).buildSelfSigned();
        X509Bundle buildIssuedBy = BASE.copy().ecp256().subject("CN=leaf.netty.io, O=Netty").buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getSubjectX500Principal()).isEqualTo(new X500Principal("CN=leaf.netty.io, O=Netty"));
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getIssuerX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        Signature signature = Algorithms.signature(buildIssuedBy.getCertificate().getSigAlgName());
        signature.initVerify(buildSelfSigned.getCertificate());
        signature.update(buildIssuedBy.getCertificate().getTBSCertificate());
        Assertions.assertTrue(signature.verify(buildIssuedBy.getCertificate().getSignature()));
    }

    @Test
    void createCertIssuedByDifferentAlgorithmEd448vEcp256() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().algorithm(CertificateBuilder.Algorithm.ed448).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setIsCertificateAuthority(true).buildSelfSigned();
        X509Bundle buildIssuedBy = BASE.copy().ecp256().subject("CN=leaf.netty.io, O=Netty").buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getSubjectX500Principal()).isEqualTo(new X500Principal("CN=leaf.netty.io, O=Netty"));
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getCertificate().getIssuerX500Principal()).isEqualTo(new X500Principal(SUBJECT));
        Signature signature = Algorithms.signature(buildIssuedBy.getCertificate().getSigAlgName());
        signature.initVerify(buildSelfSigned.getCertificate());
        signature.update(buildIssuedBy.getCertificate().getTBSCertificate());
        Assertions.assertTrue(signature.verify(buildIssuedBy.getCertificate().getSignature()));
    }

    @Test
    void createCertificateWithSans() throws Exception {
        X509Certificate certificate = BASE.copy().subject("CN=leaf.netty.io").addSanDirectoryName("CN=san.leaf.netty.io").addSanDnsName("san-1.leaf.netty.io").addSanDnsName("san-2.leaf.netty.io").addSanIpAddress("192.0.2.1").addSanRfc822Name("san@netty.io").addSanRegisteredId("1.2.840.113635.100.1.2.42").addSanUriName("spiffe://netty.io/example/san").addSanOtherName("1.2.840.113635.100.1.2.42", new byte[]{1, 1, 0}).buildIssuedBy(BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).buildSelfSigned()).getCertificate();
        Assertions.assertEquals(new X500Principal("CN=leaf.netty.io"), certificate.getSubjectX500Principal());
        ArrayList arrayList = new ArrayList(certificate.getSubjectAlternativeNames());
        org.assertj.core.api.Assertions.assertThat(arrayList).hasSize(8);
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(0)).isEqualTo(Arrays.asList(4, "CN=san.leaf.netty.io"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(1)).isEqualTo(Arrays.asList(2, "san-1.leaf.netty.io"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(2)).isEqualTo(Arrays.asList(2, "san-2.leaf.netty.io"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(3)).isEqualTo(Arrays.asList(7, "192.0.2.1"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(4)).isEqualTo(Arrays.asList(1, "san@netty.io"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(5)).isEqualTo(Arrays.asList(8, "1.2.840.113635.100.1.2.42"));
        org.assertj.core.api.Assertions.assertThat((List) arrayList.get(6)).isEqualTo(Arrays.asList(6, "spiffe://netty.io/example/san"));
        org.assertj.core.api.Assertions.assertThat(((List) arrayList.get(7)).get(0)).isEqualTo(0);
        if (PlatformDependent.javaVersion() >= 19) {
            org.assertj.core.api.Assertions.assertThat(((List) arrayList.get(7)).get(1)).isEqualTo(new byte[]{48, 17, 6, 10, 42, -122, 72, -122, -9, 99, 100, 1, 2, 42, -96, 3, 1, 1, 0});
        } else {
            org.assertj.core.api.Assertions.assertThat(((List) arrayList.get(7)).get(1)).isEqualTo(new byte[]{48, 19, 6, 10, 42, -122, 72, -122, -9, 99, 100, 1, 2, 42, -96, 5, -96, 3, 1, 1, 0});
        }
        if (((List) arrayList.get(7)).size() > 2) {
            org.assertj.core.api.Assertions.assertThat(((List) arrayList.get(7)).get(2)).isEqualTo("1.2.840.113635.100.1.2.42");
            org.assertj.core.api.Assertions.assertThat(((List) arrayList.get(7)).get(3)).isEqualTo(new byte[]{1, 1, 0});
        }
    }

    @Test
    void createCertificteWithExtendedKeyUsage() throws Exception {
        CertificateBuilder addExtendedKeyUsage = BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).addExtendedKeyUsage("1.2.840.113635.100.1.2.42");
        for (CertificateBuilder.ExtendedKeyUsage extendedKeyUsage : CertificateBuilder.ExtendedKeyUsage.values()) {
            addExtendedKeyUsage.addExtendedKeyUsage(extendedKeyUsage);
        }
        X509Bundle buildSelfSigned = addExtendedKeyUsage.buildSelfSigned();
        TreeSet treeSet = new TreeSet();
        treeSet.add("1.2.840.113635.100.1.2.42");
        for (CertificateBuilder.ExtendedKeyUsage extendedKeyUsage2 : CertificateBuilder.ExtendedKeyUsage.values()) {
            treeSet.add(extendedKeyUsage2.getOid());
        }
        org.assertj.core.api.Assertions.assertThat(buildSelfSigned.getCertificate().getExtendedKeyUsage()).containsExactlyInAnyOrderElementsOf(treeSet);
    }

    @Test
    void createCertificateWithOtherFields() throws Exception {
        X509Certificate certificate = BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign}).setPathLengthConstraint(OptionalInt.of(42)).serial(BigInteger.TEN).buildSelfSigned().getCertificate();
        org.assertj.core.api.Assertions.assertThat(certificate.getBasicConstraints()).isEqualTo(42);
        org.assertj.core.api.Assertions.assertThat(certificate.getSerialNumber()).isEqualTo(10);
        Assertions.assertEquals(3, certificate.getVersion());
        Assertions.assertFalse(certificate.hasUnsupportedCriticalExtension());
        org.assertj.core.api.Assertions.assertThat(certificate.getKeyUsage()).isEqualTo(new boolean[]{true, false, false, false, false, true, false, false, false});
        certificate.checkValidity();
        org.assertj.core.api.Assertions.assertThat(NOW.minus(1L, (TemporalUnit) ChronoUnit.DAYS).truncatedTo(ChronoUnit.SECONDS).toEpochMilli()).isEqualTo(certificate.getNotBefore().getTime());
        org.assertj.core.api.Assertions.assertThat(NOW.plus(1L, (TemporalUnit) ChronoUnit.DAYS).truncatedTo(ChronoUnit.SECONDS).toEpochMilli()).isEqualTo(certificate.getNotAfter().getTime());
    }

    @Test
    void validCertificatesWithCrlMustPassValidation() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign, CertificateBuilder.KeyUsage.cRLSign}).buildSelfSigned();
        RevocationServer revocationServer = RevocationServer.getInstance();
        revocationServer.register(buildSelfSigned);
        getX509TrustManager(buildSelfSigned).checkClientTrusted(BASE.copy().subject("CN=leaf.netty.io").addCrlDistributionPoint(revocationServer.getCrlUri(buildSelfSigned)).addExtendedKeyUsageClientAuth().buildIssuedBy(buildSelfSigned).getCertificatePath(), "EC");
    }

    @Test
    void revokedCertificatesWithCrlMustFailValidation() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign, CertificateBuilder.KeyUsage.cRLSign}).buildSelfSigned();
        RevocationServer revocationServer = RevocationServer.getInstance();
        revocationServer.register(buildSelfSigned);
        X509Bundle buildIssuedBy = BASE.copy().subject("CN=leaf.netty.io").addCrlDistributionPoint(revocationServer.getCrlUri(buildSelfSigned)).addExtendedKeyUsageClientAuth().buildIssuedBy(buildSelfSigned);
        revocationServer.revoke(buildIssuedBy, NOW);
        X509TrustManager x509TrustManager = getX509TrustManager(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat((CertificateException) Assertions.assertThrows(CertificateException.class, () -> {
            x509TrustManager.checkClientTrusted(buildIssuedBy.getCertificatePath(), "EC");
        })).hasMessageContaining("Certificate has been revoked");
    }

    @Test
    void generateCertificateWithGivenPublicKey() throws Exception {
        X509Bundle buildSelfSigned = BASE.copy().setIsCertificateAuthority(true).setKeyUsage(true, new CertificateBuilder.KeyUsage[]{CertificateBuilder.KeyUsage.digitalSignature, CertificateBuilder.KeyUsage.keyCertSign, CertificateBuilder.KeyUsage.cRLSign}).buildSelfSigned();
        KeyPair generateKeyPair = CertificateBuilder.Algorithm.ecp256.generateKeyPair(new SecureRandom());
        X509Bundle buildIssuedBy = BASE.copy().subject("CN=leaf.netty.io").publicKey(generateKeyPair.getPublic()).buildIssuedBy(buildSelfSigned);
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getKeyPair().getPublic()).isSameAs(generateKeyPair.getPublic());
        org.assertj.core.api.Assertions.assertThat(buildIssuedBy.getKeyPair().getPrivate()).isNull();
        Assertions.assertThrows(NullPointerException.class, () -> {
            buildIssuedBy.getPrivateKeyPEM();
        });
    }

    private static X509TrustManager getX509TrustManager(X509Bundle x509Bundle) throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(x509Bundle.getCertificate(), null)), (CertSelector) null);
        pKIXBuilderParameters.addCertPathChecker((PKIXRevocationChecker) CertPathBuilder.getInstance("PKIX").getRevocationChecker());
        trustManagerFactory.init(new CertPathTrustManagerParameters(pKIXBuilderParameters));
        return (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
    }
}
