package org.keycloak.authentication.authenticators.x509;

import java.security.GeneralSecurityException;
import java.security.KeyPairGenerator;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.authentication.authenticators.x509.CertificateValidator;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.rule.CryptoInitRule;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/CertificateValidatorTest.class */
public class CertificateValidatorTest {

    @ClassRule
    public static CryptoInitRule cryptoInitRule = new CryptoInitRule();

    @Test
    public void testValidityOfCertificatesSuccess() throws GeneralSecurityException {
        KeyPairGenerator keyPairGen = CryptoIntegration.getProvider().getKeyPairGen("RSA");
        keyPairGen.initialize(512);
        try {
            new CertificateValidator.CertificateValidatorBuilder().timestampValidation().enabled(true).build(new X509Certificate[]{CryptoIntegration.getProvider().getCertificateUtils().createServicesTestCertificate("CN=keycloak-test", new Date(), new Date(System.currentTimeMillis() + 60000), keyPairGen.generateKeyPair(), new String[0])}).validateTimestamps();
        } catch (Exception e) {
            e.printStackTrace();
            Assert.fail(e.getMessage());
        }
    }

    @Test
    public void testValidityOfCertificatesNotValidYet() throws GeneralSecurityException {
        KeyPairGenerator keyPairGen = CryptoIntegration.getProvider().getKeyPairGen("RSA");
        keyPairGen.initialize(512);
        try {
            new CertificateValidator.CertificateValidatorBuilder().timestampValidation().enabled(true).build(new X509Certificate[]{CryptoIntegration.getProvider().getCertificateUtils().createServicesTestCertificate("CN=keycloak-test", new Date(System.currentTimeMillis() + 60000), new Date(System.currentTimeMillis() + 60000), keyPairGen.generateKeyPair(), new String[0])}).validateTimestamps();
            Assert.fail("certificate validation must fail for certificate is not valid yet");
        } catch (Exception e) {
            MatcherAssert.assertThat(e.getMessage(), Matchers.containsString("not valid yet"));
            Assert.assertEquals(GeneralSecurityException.class, e.getClass());
        }
    }

    @Test
    public void testValidityOfCertificatesHasExpired() throws GeneralSecurityException {
        KeyPairGenerator keyPairGen = CryptoIntegration.getProvider().getKeyPairGen("RSA");
        keyPairGen.initialize(512);
        try {
            new CertificateValidator.CertificateValidatorBuilder().timestampValidation().enabled(true).build(new X509Certificate[]{CryptoIntegration.getProvider().getCertificateUtils().createServicesTestCertificate("CN=keycloak-test", new Date(System.currentTimeMillis() - 120000), new Date(System.currentTimeMillis() - 60000), keyPairGen.generateKeyPair(), new String[0])}).validateTimestamps();
            Assert.fail("certificate validation must fail for certificate has expired");
        } catch (Exception e) {
            MatcherAssert.assertThat(e.getMessage(), Matchers.containsString("has expired"));
            Assert.assertEquals(GeneralSecurityException.class, e.getClass());
        }
    }

    @Test
    public void testCertificatePolicyModeAllNotRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "All", new String[0]);
    }

    @Test
    public void testCertificatePolicyModeAllNotRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "All", "1.3.76.16.2.1");
    }

    @Test
    public void testCertificatePolicyModeAllNotRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "All", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllOneRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "All", new String[0]);
    }

    @Test
    public void testCertificatePolicyModeAllOneRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "All", "1.3.76.16.2.1");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllOneRequestedAndOnePresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "All", "1.2.3.4.5.6");
    }

    @Test
    public void testCertificatePolicyModeAllOneRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "All", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllOneRequestedAndTwoPresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "All", "1.2.3.4.5", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllTwoRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "All", new String[0]);
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllTwoRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "All", "1.3.76.16.2.1");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAllTwoRequestedAndOnePresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "All", "1.2.3.4");
    }

    @Test
    public void testCertificatePolicyModeAllTwoRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "All", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    @Test
    public void testCertificatePolicyModeAnyNotRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "Any", new String[0]);
    }

    @Test
    public void testCertificatePolicyModeAnyNotRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "Any", "1.3.76.16.2.1");
    }

    @Test
    public void testCertificatePolicyModeAnyNotRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation(null, "Any", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAnyOneRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "Any", new String[0]);
    }

    @Test
    public void testCertificatePolicyModeAnyOneRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "Any", "1.3.76.16.2.1");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAnyOneRequestedAndOnePresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "Any", "1.2.3.4.5.6");
    }

    @Test
    public void testCertificatePolicyModeAnyOneRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "Any", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAnyOneRequestedAndTwoPresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1", "Any", "1.2.3.4.5", "1.2.3.4.5.6");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAnyTwoRequestedAndNotPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "Any", new String[0]);
    }

    @Test
    public void testCertificatePolicyModeAnyTwoRequestedAndOnePresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "Any", "1.3.76.16.2.1");
    }

    @Test(expected = GeneralSecurityException.class)
    public void testCertificatePolicyModeAnyTwoRequestedAndOnePresentDifferent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "Any", "1.2.3.4");
    }

    @Test
    public void testCertificatePolicyModeAnyTwoRequestedAndTwoPresent() throws GeneralSecurityException {
        testCertificatePolicyValidation("1.3.76.16.2.1,1.2.3.4.5.6", "Any", "1.3.76.16.2.1", "1.2.3.4.5.6");
    }

    private void testCertificatePolicyValidation(String str, String str2, String... strArr) throws GeneralSecurityException {
        KeyPairGenerator keyPairGen = CryptoIntegration.getProvider().getKeyPairGen("RSA");
        keyPairGen.initialize(512);
        new CertificateValidator.CertificateValidatorBuilder().certificatePolicy().mode(str2).parse(str).build(new X509Certificate[]{CryptoIntegration.getProvider().getCertificateUtils().createServicesTestCertificate("CN=keycloak-test", new Date(System.currentTimeMillis() - 120000), new Date(System.currentTimeMillis() - 60000), keyPairGen.generateKeyPair(), strArr)}).validatePolicy();
    }
}
