package org.opensaml.security.x509.impl;

import java.io.InputStream;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.opensaml.core.xml.XMLObjectBaseTestCase;
import org.opensaml.security.SecurityException;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.PKIXTrustEvaluator;
import org.opensaml.security.x509.PKIXValidationInformation;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.X509Support;
import org.testng.Assert;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/opensaml/security/x509/impl/CertPathPKIXTrustEvaluatorTest.class */
public class CertPathPKIXTrustEvaluatorTest extends XMLObjectBaseTestCase {
    private static final String DATA_PATH = "/data/org/opensaml/security/x509/impl/";
    private PKIXTrustEvaluator pkixEvaluator;
    private PKIXValidationInformation info;
    private X509Credential cred;
    private CertPathPKIXValidationOptions opts;
    private static final Set<X509CRL> EMPTY_CRLS = new HashSet();
    private static final Set<X509Certificate> EMPTY_ANCHORS = new HashSet();
    private static final Integer MAX_DEPTH = 10;
    private static Set testPolicy1 = Collections.singleton("1.3.6.1.4.1.32473.2011.6.20");
    private static Set testPolicy2 = Collections.singleton("1.3.6.1.4.1.32473.2011.6.21");

    @BeforeMethod
    protected void setUp() throws Exception {
        this.pkixEvaluator = new CertPathPKIXTrustEvaluator();
        this.info = null;
        this.cred = null;
        this.opts = null;
    }

    @Test
    public void testGood() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Valid path was specified", this.info, this.cred);
    }

    @Test
    public void testIncompletePath() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Incomplete path was specified, missing issuing CA certificate", this.info, this.cred);
    }

    @Test
    public void testNoAnchors() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(EMPTY_ANCHORS, EMPTY_CRLS, MAX_DEPTH);
        testValidateProcessingError("No trust anchors specified", this.info, this.cred);
    }

    @Test
    public void testNonRootIssuerAsTrustAnchor() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Incomplete path was specified, missing (non-issuing) CA certificate in path", this.info, this.cred);
    }

    @Test
    public void testRevokedV1() {
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Sanity check that revoked cert is otherwise good, sans CRLs", this.info, this.cred);
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), getCRLS("inter1A1-v1.crl"), MAX_DEPTH);
        testValidateFailure("Specified certificate was revoked, V1 CRL was processed", this.info, this.cred);
    }

    @Test
    public void testRevokedV1CRLinCred() {
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Sanity check that revoked cert is otherwise good, sans CRLs", this.info, this.cred);
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.cred.setCRLs(getCRLS("inter1A1-v1.crl"));
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Specified certificate was revoked, V1 CRL from credential was processed", this.info, this.cred);
    }

    @Test
    public void testRevokedV2() {
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Sanity check that revoked cert is otherwise good, sans CRLs", this.info, this.cred);
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), getCRLS("inter1A1-v2.crl"), MAX_DEPTH);
        testValidateFailure("Specified certificate was revoked, V2 CRL was processed", this.info, this.cred);
    }

    @Test
    public void testRevokedV2CRLinCred() {
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Sanity check that revoked cert is otherwise good, sans CRLs", this.info, this.cred);
        this.cred = getCredential("foo-1A1-revoked.crt", new String[0]);
        this.cred.setCRLs(getCRLS("inter1A1-v2.crl"));
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Specified certificate was revoked, V2 CRL from credential was processed", this.info, this.cred);
    }

    @Test
    public void testEmptyCRL() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("inter1A1-ca.crt"), getCRLS("inter1A1-v1-empty.crl"), MAX_DEPTH);
        testValidateSuccess("Certificate was valid, empty V1 CRL was processed", this.info, this.cred);
    }

    @Test
    public void testIncompleteCRLsForChain() {
        this.cred = getCredential("foo-1A1-good.crt", "inter1A1-ca.crt", "inter1A-ca.crt");
        this.cred.setCRLs(getCRLS("inter1A1-v2.crl"));
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Certificate was valid (non-revoked), V2 CRL for intermediate CA was processed, missing complete CRL info for chain", this.info, this.cred);
    }

    @Test
    public void testExpiredCRL() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), getCRLS("inter1A1-v1-expired.crl"), MAX_DEPTH);
        testValidateFailure("Certificate was valid, expired V1 CRL was processed", this.info, this.cred);
    }

    @Test
    public void testNonRevokedCertWithNonEmptyCRL() {
        this.cred = getCredential("foo-1A1-good.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), getCRLS("inter1A1-v1.crl"), MAX_DEPTH);
        testValidateSuccess("Certificate was valid, V1 CRL containing other revolcations was processed", this.info, this.cred);
    }

    @Test
    public void testEntityCertExpired() {
        this.cred = getCredential("foo-1A1-expired.crt", new String[0]);
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt", "inter1A1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Specified certificate was expired", this.info, this.cred);
    }

    @Test
    public void testGoodPathInCred() {
        this.cred = getCredential("foo-1A1-good.crt", "inter1A-ca.crt", "inter1A1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Valid path was specified, intermediate path in credential chain", this.info, this.cred);
        this.cred = getCredential("foo-1A1-good.crt", "inter1A1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt", "inter1A-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateSuccess("Valid path was specified, intermediate path in credential chain", this.info, this.cred);
    }

    @Test
    public void testGoodPathInCredNoAnchors() {
        this.cred = getCredential("foo-1A1-good.crt", "inter1A1-ca.crt", "inter1A-ca.crt", "root1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root2-ca.crt", "inter2A-ca.crt", "inter2B-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Complete good path was specified in cred, but no relevant trust anchors", this.info, this.cred);
    }

    @Test
    public void testIncompletePathInCred() {
        this.cred = getCredential("foo-1A1-good.crt", "inter1A1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt"), EMPTY_CRLS, MAX_DEPTH);
        testValidateFailure("Incomplete path was specified, neither contains required intermediate cert", this.info, this.cred);
    }

    @Test
    public void testPathTooDeep() {
        this.cred = getCredential("foo-1A1-good.crt", "inter1A-ca.crt", "inter1A1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt"), EMPTY_CRLS, 2);
        testValidateSuccess("Valid path was specified, depth was equal to max path depth", this.info, this.cred);
        this.cred = getCredential("foo-1A1-good.crt", "inter1A-ca.crt", "inter1A1-ca.crt");
        this.info = getPKIXInfoSet(getCertificates("root1-ca.crt"), EMPTY_CRLS, 1);
        testValidateFailure("Valid path was specified, but depth exceeded max path depth", this.info, this.cred);
    }

    @Test
    public void testAnyPolicy() {
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.1.crt.pem");
        this.info = getPKIXInfoSet(getCertificates("mdt-root.crt.pem"), EMPTY_CRLS, 2);
        this.opts = getPKIXOptions(testPolicy1, false, false);
        testValidateSuccess("Intermediate CA with anyPolicy (2.5.29.32.0) entry permitted", this.info, this.cred, this.opts);
    }

    @Test
    public void testExplicitPolicy() {
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.1.crt.pem");
        this.info = getPKIXInfoSet(getCertificates("mdt-root.crt.pem"), EMPTY_CRLS, 2);
        this.opts = getPKIXOptions(testPolicy1, false, true);
        testValidateFailure("Intermediate CA with anyPolicy (2.5.29.32.0), but anyPolicy is inhibited", this.info, this.cred, this.opts);
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.2.crt.pem");
        testValidateSuccess("Intermediate CA with explicit policy " + testPolicy1, this.info, this.cred, this.opts);
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.3.crt.pem");
        testValidateSuccess("Intermediate CA with explicit policies " + testPolicy1 + ", " + testPolicy2, this.info, this.cred, this.opts);
    }

    @Test
    public void testExplicitPolicyMap() {
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.3.crt.pem");
        this.info = getPKIXInfoSet(getCertificates("mdt-root.crt.pem"), EMPTY_CRLS, 2);
        this.opts = getPKIXOptions(testPolicy2, false, true);
        testValidateSuccess("Intermediate CA with policy mapping, and mapping is permitted", this.info, this.cred, this.opts);
    }

    @Test
    public void testExplicitPolicyNoMap() {
        this.cred = getCredential("mdt-signer.crt.pem", "mdt-ica.3.crt.pem");
        this.info = getPKIXInfoSet(getCertificates("mdt-root.crt.pem"), EMPTY_CRLS, 2);
        this.opts = getPKIXOptions(testPolicy2, true, true);
        testValidateFailure("Intermediate CA with policy mapping, but mapping is inhibited", this.info, this.cred, this.opts);
    }

    @Test(enabled = false)
    private void testValidateSuccess(String str, PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) {
        try {
            if (!this.pkixEvaluator.validate(pKIXValidationInformation, x509Credential)) {
                Assert.fail("Evaluation of X509Credential failed, success was expected: " + str);
            }
        } catch (SecurityException e) {
            Assert.fail("Evaluation failed due to processing exception: " + e.getMessage());
        }
    }

    @Test(enabled = false)
    private void testValidateFailure(String str, PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) {
        try {
            if (this.pkixEvaluator.validate(pKIXValidationInformation, x509Credential)) {
                Assert.fail("Evaluation of X509Credential succeeded, failure was expected: " + str);
            }
        } catch (SecurityException e) {
            Assert.fail("Evaluation failed due to processing exception: " + e.getMessage());
        }
    }

    @Test(enabled = false)
    private void testValidateProcessingError(String str, PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential) {
        try {
            if (this.pkixEvaluator.validate(pKIXValidationInformation, x509Credential)) {
                Assert.fail("Evaluation of X509Credential succeeded, processing failure was expected: " + str);
            } else {
                Assert.fail("Evaluation of X509Credential failed, but processing failure was expected: " + str);
            }
        } catch (SecurityException e) {
        }
    }

    private void testValidateSuccess(String str, PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential, CertPathPKIXValidationOptions certPathPKIXValidationOptions) {
        try {
            if (!new CertPathPKIXTrustEvaluator(certPathPKIXValidationOptions).validate(pKIXValidationInformation, x509Credential)) {
                Assert.fail("Evaluation of X509Credential failed, success was expected: " + str);
            }
        } catch (SecurityException e) {
            Assert.fail("Evaluation failed due to processing exception: " + e.getMessage());
        }
    }

    private void testValidateFailure(String str, PKIXValidationInformation pKIXValidationInformation, X509Credential x509Credential, CertPathPKIXValidationOptions certPathPKIXValidationOptions) {
        try {
            if (new CertPathPKIXTrustEvaluator(certPathPKIXValidationOptions).validate(pKIXValidationInformation, x509Credential)) {
                Assert.fail("Evaluation of X509Credential succeeded, failure was expected: " + str);
            }
        } catch (SecurityException e) {
            Assert.fail("Evaluation failed due to processing exception: " + e.getMessage());
        }
    }

    private BasicX509Credential getCredential(String str, String... strArr) {
        X509Certificate certificate = getCertificate(str);
        BasicX509Credential basicX509Credential = new BasicX509Credential(certificate);
        HashSet hashSet = new HashSet();
        hashSet.add(certificate);
        for (String str2 : strArr) {
            hashSet.add(getCertificate(str2));
        }
        basicX509Credential.setEntityCertificateChain(hashSet);
        return basicX509Credential;
    }

    private PKIXValidationInformation getPKIXInfoSet(Collection<X509Certificate> collection, Collection<X509CRL> collection2, Integer num) {
        return new BasicPKIXValidationInformation(collection, collection2, num);
    }

    private CertPathPKIXValidationOptions getPKIXOptions(Set<String> set, boolean z, boolean z2) {
        CertPathPKIXValidationOptions certPathPKIXValidationOptions = new CertPathPKIXValidationOptions();
        certPathPKIXValidationOptions.setInitialPolicies(set);
        certPathPKIXValidationOptions.setPolicyMappingInhibit(z);
        certPathPKIXValidationOptions.setAnyPolicyInhibit(z2);
        return certPathPKIXValidationOptions;
    }

    private Collection<X509Certificate> getCertificates(String... strArr) {
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(getCertificate(str));
        }
        return hashSet;
    }

    private X509Certificate getCertificate(String str) {
        try {
            InputStream inputStream = getInputStream(str);
            byte[] bArr = new byte[inputStream.available()];
            inputStream.read(bArr);
            return (X509Certificate) X509Support.decodeCertificates(bArr).iterator().next();
        } catch (Exception e) {
            Assert.fail("Could not create certificate from file: " + str + ": " + e.getMessage());
            return null;
        }
    }

    private Collection<X509CRL> getCRLS(String... strArr) {
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(getCRL(str));
        }
        return hashSet;
    }

    private X509CRL getCRL(String str) {
        try {
            InputStream inputStream = getInputStream(str);
            byte[] bArr = new byte[inputStream.available()];
            inputStream.read(bArr);
            return (X509CRL) X509Support.decodeCRLs(bArr).iterator().next();
        } catch (Exception e) {
            Assert.fail("Could not create CRL from file: " + str + ": " + e.getMessage());
            return null;
        }
    }

    private InputStream getInputStream(String str) {
        return CertPathPKIXTrustEvaluatorTest.class.getResourceAsStream(DATA_PATH + str);
    }
}
