package org.wildfly.security.ssl;

import java.io.Closeable;
import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.security.AccessController;
import java.security.Security;
import java.util.Locale;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.wildfly.security.WildFlyElytronProvider;
import org.wildfly.security.auth.client.AuthenticationContext;
import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
import org.wildfly.security.auth.realm.KeyStoreBackedSecurityRealm;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.permission.PermissionVerifier;
import org.wildfly.security.ssl.test.util.CAGenerationTool;
import org.wildfly.security.ssl.test.util.DefinedCAIdentity;
import org.wildfly.security.x500.principal.X500AttributePrincipalDecoder;

/* loaded from: input_file:org/wildfly/security/ssl/TLS13AuthenticationTest.class */
public class TLS13AuthenticationTest {
    private static final String CLIENT_CONFIG = "tls13-authentication-config.xml";
    private static final String CA_JKS_LOCATION = "./target/test-classes/pkcs12";
    private static final char[] PASSWORD = "Elytron".toCharArray();
    private static CAGenerationTool caGenerationTool = null;
    private static SecurityDomain securityDomain = null;

    @BeforeClass
    public static void setUp() throws Exception {
        caGenerationTool = CAGenerationTool.builder().setBaseDir(CA_JKS_LOCATION).setRequestIdentities(new CAGenerationTool.Identity[]{CAGenerationTool.Identity.LADYBIRD, CAGenerationTool.Identity.SCARAB}).build();
        securityDomain = SecurityDomain.builder().addRealm("KeystoreRealm", new KeyStoreBackedSecurityRealm(caGenerationTool.getBeetlesKeyStore())).build().setDefaultRealmName("KeystoreRealm").setPrincipalDecoder(new X500AttributePrincipalDecoder("2.5.4.3", 1)).setPreRealmRewriter(str -> {
            return str.toLowerCase(Locale.ENGLISH);
        }).setPermissionMapper((permissionMappable, roles) -> {
            return PermissionVerifier.ALL;
        }).build();
    }

    @AfterClass
    public static void cleanUp() throws IOException {
        caGenerationTool.close();
    }

    @Test
    public void testTwoWayTLS13() throws Exception {
        DefinedCAIdentity definedCAIdentity = caGenerationTool.getDefinedCAIdentity(CAGenerationTool.Identity.CA);
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setCipherSuiteSelector(CipherSuiteSelector.fromNamesString("TLS_AES_128_GCM_SHA256")).setKeyManager(caGenerationTool.getDefinedIdentity(CAGenerationTool.Identity.SCARAB).createKeyManager()).setTrustManager(definedCAIdentity.createTrustManager()).setNeedClientAuth(true).build().create(), "protocol://test-two-way-tls13.org", CLIENT_CONFIG, "TLS_AES_128_GCM_SHA256", true);
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testDifferentPreferredTLS13Suites() throws Exception {
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setCipherSuiteSelector(CipherSuiteSelector.fromNamesString(String.format("%s:%s", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256"))).setKeyManager(caGenerationTool.getDefinedIdentity(CAGenerationTool.Identity.SCARAB).createKeyManager()).setTrustManager(caGenerationTool.getDefinedCAIdentity(CAGenerationTool.Identity.CA).createTrustManager()).setNeedClientAuth(true).build().create(), "protocol://test-different-preferred-tls13-suites.org", CLIENT_CONFIG, "TLS_AES_128_GCM_SHA256", true);
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testClientTLS12Only() throws Exception {
        DefinedCAIdentity definedCAIdentity = caGenerationTool.getDefinedCAIdentity(CAGenerationTool.Identity.CA);
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setCipherSuiteSelector(CipherSuiteSelector.aggregate(CipherSuiteSelector.fromNamesString("TLS_AES_128_GCM_SHA256"), CipherSuiteSelector.fromString("TLS_RSA_WITH_AES_128_CBC_SHA256"))).setKeyManager(caGenerationTool.getDefinedIdentity(CAGenerationTool.Identity.SCARAB).createKeyManager()).setTrustManager(definedCAIdentity.createTrustManager()).setNeedClientAuth(true).build().create(), "protocol://test-client-tls12-only.org", CLIENT_CONFIG, "TLS_RSA_WITH_AES_128_CBC_SHA256", false);
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testServerTLS12Only() throws Exception {
        DefinedCAIdentity definedCAIdentity = caGenerationTool.getDefinedCAIdentity(CAGenerationTool.Identity.CA);
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setCipherSuiteSelector(CipherSuiteSelector.fromString("TLS_RSA_WITH_AES_128_CBC_SHA256")).setKeyManager(caGenerationTool.getDefinedIdentity(CAGenerationTool.Identity.SCARAB).createKeyManager()).setTrustManager(definedCAIdentity.createTrustManager()).setNeedClientAuth(true).build().create(), "protocol://test-server-tls12-only.org", CLIENT_CONFIG, "TLS_RSA_WITH_AES_128_CBC_SHA256", false);
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testOneWayTLS13() throws Exception {
        Assert.assertNull(performConnectionTest((SSLContext) new SSLContextBuilder().setCipherSuiteSelector(CipherSuiteSelector.fromNamesString("TLS_AES_128_GCM_SHA256")).setKeyManager(caGenerationTool.getDefinedIdentity(CAGenerationTool.Identity.SCARAB).createKeyManager()).build().create(), "protocol://test-one-way-tls13.org", CLIENT_CONFIG, "TLS_AES_128_GCM_SHA256", true));
    }

    private SecurityIdentity performConnectionTest(SSLContext sSLContext, String str, String str2, String str3, boolean z) throws Exception {
        System.setProperty("wildfly.config.url", SSLAuthenticationTest.class.getResource(str2).toExternalForm());
        AccessController.doPrivileged(() -> {
            return Integer.valueOf(Security.insertProviderAt(new WildFlyElytronProvider(), 1));
        });
        SSLContext sSLContext2 = ((AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION)).getSSLContext(URI.create(str), AuthenticationContext.getContextManager().get());
        SSLServerSocket sSLServerSocket = (SSLServerSocket) sSLContext.getServerSocketFactory().createServerSocket(1111, 10, InetAddress.getLoopbackAddress());
        Future submit = Executors.newSingleThreadExecutor().submit(() -> {
            try {
                try {
                    System.out.println("About to connect client");
                    SSLSocket sSLSocket = (SSLSocket) sSLContext2.getSocketFactory().createSocket(InetAddress.getLoopbackAddress(), 1111);
                    sSLSocket.getSession();
                    System.out.println("Client connected");
                    return sSLSocket;
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } catch (Throwable th) {
                System.out.println("Client connected");
                throw th;
            }
        });
        SSLSocket sSLSocket = (SSLSocket) sSLServerSocket.accept();
        SSLSession session = sSLSocket.getSession();
        SSLSocket sSLSocket2 = (SSLSocket) submit.get();
        SSLSession session2 = sSLSocket2.getSession();
        try {
            if (str3 != null) {
                if (z) {
                    Assert.assertEquals("TLSv1.3", session.getProtocol());
                    Assert.assertEquals("TLSv1.3", session2.getProtocol());
                } else {
                    Assert.assertEquals("TLSv1.2", session.getProtocol());
                    Assert.assertEquals("TLSv1.2", session2.getProtocol());
                }
                Assert.assertEquals(str3, session.getCipherSuite());
                Assert.assertEquals(str3, session2.getCipherSuite());
            }
            SecurityIdentity securityIdentity = (SecurityIdentity) session.getValue("org.wildfly.security.ssl.identity");
            safeClose(sSLSocket);
            safeClose(sSLSocket2);
            safeClose(sSLServerSocket);
            return securityIdentity;
        } catch (Throwable th) {
            safeClose(sSLSocket);
            safeClose(sSLSocket2);
            safeClose(sSLServerSocket);
            throw th;
        }
    }

    private void safeClose(Closeable closeable) {
        try {
            closeable.close();
        } catch (Exception e) {
        }
    }
}
