package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.test.helper.file.FileHelper;
import com.floragunn.searchguard.ssl.util.CertificateValidator;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import java.io.FileInputStream;
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilderException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/ssl/CertificateValidatorTest.class */
public class CertificateValidatorTest {
    public static final Date CRL_DATE = new Date(1525546426000L);
    protected final Logger log = LogManager.getLogger(getClass());

    @Test
    public void testStaticCRL() throws Exception {
        FileInputStream fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl").toFile());
        try {
            Collection<? extends CRL> generateCRLs = CertificateFactory.getInstance("X.509").generateCRLs(fileInputStream);
            fileInputStream.close();
            Assert.assertEquals(generateCRLs.size(), 1L);
            FileInputStream fileInputStream2 = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem").toFile());
            try {
                Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream2);
                fileInputStream2.close();
                Assert.assertEquals(generateCertificates.size(), 2L);
                fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crt.pem").toFile());
                try {
                    Collection<? extends Certificate> generateCertificates2 = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
                    fileInputStream.close();
                    Assert.assertEquals(generateCertificates2.size(), 2L);
                    CertificateValidator certificateValidator = new CertificateValidator((X509Certificate[]) generateCertificates.toArray(new X509Certificate[0]), generateCRLs);
                    certificateValidator.setDate(CRL_DATE);
                    try {
                        certificateValidator.validate((Certificate[]) generateCertificates2.toArray(new X509Certificate[0]));
                        Assert.fail();
                    } catch (CertificateException e) {
                        Assert.assertTrue(ExceptionUtils.getRootCause(e) instanceof CertificateRevokedException);
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            try {
                fileInputStream.close();
            } catch (Throwable th) {
                th.addSuppressed(th);
            }
        }
    }

    @Test
    public void testStaticCRLOk() throws Exception {
        FileInputStream fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl").toFile());
        try {
            Collection<? extends CRL> generateCRLs = CertificateFactory.getInstance("X.509").generateCRLs(fileInputStream);
            fileInputStream.close();
            Assert.assertEquals(generateCRLs.size(), 1L);
            FileInputStream fileInputStream2 = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem").toFile());
            try {
                Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream2);
                fileInputStream2.close();
                Assert.assertEquals(generateCertificates.size(), 2L);
                fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem").toFile());
                try {
                    Collection<? extends Certificate> generateCertificates2 = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
                    fileInputStream.close();
                    Assert.assertEquals(generateCertificates2.size(), 3L);
                    CertificateValidator certificateValidator = new CertificateValidator((X509Certificate[]) generateCertificates.toArray(new X509Certificate[0]), generateCRLs);
                    certificateValidator.setDate(CRL_DATE);
                    try {
                        certificateValidator.validate((Certificate[]) generateCertificates2.toArray(new X509Certificate[0]));
                    } catch (CertificateException e) {
                        Assert.fail(ExceptionsHelper.stackTrace(ExceptionUtils.getRootCause(e)));
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            try {
                fileInputStream.close();
            } catch (Throwable th) {
                th.addSuppressed(th);
            }
        }
    }

    @Test
    public void testNoValidationPossible() throws Exception {
        FileInputStream fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem").toFile());
        try {
            Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
            fileInputStream.close();
            Assert.assertEquals(generateCertificates.size(), 2L);
            fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crt.pem").toFile());
            try {
                Collection<? extends Certificate> generateCertificates2 = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
                fileInputStream.close();
                Assert.assertEquals(generateCertificates2.size(), 2L);
                CertificateValidator certificateValidator = new CertificateValidator((X509Certificate[]) generateCertificates.toArray(new X509Certificate[0]), Collections.emptyList());
                certificateValidator.setDate(CRL_DATE);
                try {
                    certificateValidator.validate((Certificate[]) generateCertificates2.toArray(new X509Certificate[0]));
                    Assert.fail();
                } catch (CertificateException e) {
                    Assert.assertTrue(e.getCause() instanceof CertPathBuilderException);
                    Assert.assertTrue(e.getCause().getMessage().contains("unable to find valid certification path to requested target"));
                }
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void testCRLDP() throws Exception {
        Security.setProperty("ocsp.enable", "true");
        FileInputStream fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem").toFile());
        try {
            Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
            fileInputStream.close();
            Assert.assertEquals(generateCertificates.size(), 1L);
            fileInputStream = new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crt.pem").toFile());
            try {
                Collection<? extends Certificate> generateCertificates2 = CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream);
                fileInputStream.close();
                Assert.assertEquals(generateCertificates2.size(), 2L);
                CertificateValidator certificateValidator = new CertificateValidator((X509Certificate[]) generateCertificates.toArray(new X509Certificate[0]), Collections.emptyList());
                certificateValidator.setEnableCRLDP(true);
                certificateValidator.setDate(CRL_DATE);
                try {
                    certificateValidator.validate((Certificate[]) generateCertificates2.toArray(new X509Certificate[0]));
                    Assert.fail();
                } catch (CertificateException e) {
                    Assert.assertTrue(ExceptionUtils.getRootCause(e) instanceof CertificateRevokedException);
                }
            } finally {
            }
        } finally {
        }
    }
}
