package org.wildfly.security.ssl;

import java.io.Closeable;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.InetAddress;
import java.net.URI;
import java.security.AccessController;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Locale;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.BeforeClass;
import org.junit.Test;
import org.wildfly.security.WildFlyElytronProvider;
import org.wildfly.security.auth.client.AuthenticationContext;
import org.wildfly.security.auth.client.AuthenticationContextConfigurationClient;
import org.wildfly.security.auth.realm.KeyStoreBackedSecurityRealm;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.permission.PermissionVerifier;
import org.wildfly.security.x500.cert.BasicConstraintsExtension;
import org.wildfly.security.x500.cert.SelfSignedX509CertificateAndSigningKey;
import org.wildfly.security.x500.cert.X509CertificateBuilder;
import org.wildfly.security.x500.principal.X500AttributePrincipalDecoder;

/* loaded from: input_file:org/wildfly/security/ssl/SSLv2HelloAuthenticationTest.class */
public class SSLv2HelloAuthenticationTest {
    private static final String CA_JKS_LOCATION = "./target/test-classes/ca/jks";
    public static String disabledAlgorithms;
    private static final boolean IS_IBM = System.getProperty("java.vendor").contains("IBM");
    private static final char[] PASSWORD = "Elytron".toCharArray();
    private static File ladybirdFile = null;
    private static File scarabFile = null;
    private static File beetlesFile = null;
    private static File trustFile = null;
    private static File workingDirCA = null;
    private static SecurityRealm securityRealm = null;
    private static SecurityDomain securityDomain = null;

    @BeforeClass
    public static void setUp() throws Exception {
        disabledAlgorithms = Security.getProperty("jdk.tls.disabledAlgorithms");
        if (disabledAlgorithms != null && (disabledAlgorithms.contains("TLSv1") || disabledAlgorithms.contains("TLSv1.1"))) {
            Security.setProperty("jdk.tls.disabledAlgorithms", "");
        }
        workingDirCA = new File(CA_JKS_LOCATION);
        if (!workingDirCA.exists()) {
            workingDirCA.mkdirs();
        }
        ladybirdFile = new File(workingDirCA, "ladybird.keystore");
        scarabFile = new File(workingDirCA, "scarab.keystore");
        beetlesFile = new File(workingDirCA, "beetles.keystore");
        trustFile = new File(workingDirCA, "ca.truststore");
        createKeyStores(ladybirdFile, scarabFile, beetlesFile, trustFile);
        securityRealm = new KeyStoreBackedSecurityRealm(loadKeyStore("/ca/jks/beetles.keystore"));
        securityDomain = SecurityDomain.builder().addRealm("KeystoreRealm", securityRealm).build().setDefaultRealmName("KeystoreRealm").setPrincipalDecoder(new X500AttributePrincipalDecoder("2.5.4.3", 1)).setPreRealmRewriter(str -> {
            return str.toLowerCase(Locale.ENGLISH);
        }).setPermissionMapper((permissionMappable, roles) -> {
            return PermissionVerifier.ALL;
        }).build();
    }

    @AfterClass
    public static void cleanUp() {
        ladybirdFile.delete();
        ladybirdFile = null;
        scarabFile.delete();
        scarabFile = null;
        beetlesFile.delete();
        beetlesFile = null;
        trustFile.delete();
        trustFile = null;
        workingDirCA.delete();
        workingDirCA = null;
        if (disabledAlgorithms != null) {
            Security.setProperty("jdk.tls.disabledAlgorithms", disabledAlgorithms);
        }
    }

    @Test
    public void testOneWaySSLv2HelloProtocolMatch() throws Exception {
        Assume.assumeFalse("Skipping testTwoWaySSlv2HelloProtocolMatch test as IBM JDK does not support SSLv2Hello on the client side", IS_IBM);
        ArrayList arrayList = new ArrayList();
        arrayList.add(Protocol.forName("SSLv2Hello"));
        arrayList.add(Protocol.forName("TLSv1"));
        performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setKeyManager(getKeyManager("/ca/jks/scarab.keystore")).setProtocolSelector(ProtocolSelector.empty().add(EnumSet.copyOf((Collection) arrayList))).build().create(), "protocol://one-way-sslv2hello.org", "wildfly-ssl-test-config-v1_6.xml", new String[]{"SSLv2Hello", "TLSv1"}, "TLSv1");
    }

    @Test
    public void testTwoWaySSLv2HelloProtocolMatch() throws Exception {
        Assume.assumeFalse("Skipping testTwoWaySSlv2HelloProtocolMatch test as IBM JDK does not support SSLv2Hello on the client side", IS_IBM);
        ArrayList arrayList = new ArrayList();
        arrayList.add(Protocol.forName("SSLv2Hello"));
        arrayList.add(Protocol.forName("TLSv1"));
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setKeyManager(getKeyManager("/ca/jks/scarab.keystore")).setTrustManager(getCATrustManager()).setNeedClientAuth(true).setProtocolSelector(ProtocolSelector.empty().add(EnumSet.copyOf((Collection) arrayList))).build().create(), "protocol://test-two-way-sslv2hello.org", "wildfly-ssl-test-config-v1_6.xml", new String[]{"SSLv2Hello", "TLSv1"}, "TLSv1");
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testTwoWaySSLv2HelloNotEnabled() throws Exception {
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setKeyManager(getKeyManager("/ca/jks/scarab.keystore")).setTrustManager(getCATrustManager()).setNeedClientAuth(true).build().create(), "protocol://two-way-no-sslv2hello.org", "wildfly-ssl-test-config-v1_6.xml", IS_IBM ? new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"} : new String[]{"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}, "TLSv1.2");
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testTwoWaySSLv2HelloNoClientSupport() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Protocol.forName("SSLv2Hello"));
        arrayList.add(Protocol.forName("TLSv1"));
        SecurityIdentity performConnectionTest = performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setKeyManager(getKeyManager("/ca/jks/scarab.keystore")).setTrustManager(getCATrustManager()).setNeedClientAuth(true).setProtocolSelector(ProtocolSelector.empty().add(EnumSet.copyOf((Collection) arrayList))).build().create(), "protocol://two-way-no-sslv2hello.org", "wildfly-ssl-test-config-v1_6.xml", IS_IBM ? new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"} : new String[]{"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}, IS_IBM ? new String[]{"TLSv1"} : new String[]{"SSLv2Hello", "TLSv1"}, "TLSv1");
        Assert.assertNotNull(performConnectionTest);
        Assert.assertEquals("Principal Name", "ladybird", performConnectionTest.getPrincipal().getName());
    }

    @Test
    public void testTwoWaySSlv2HelloNoServerSupport() throws Exception {
        Assume.assumeFalse("Skipping testTwoWaySSLv2HelloNoServerSupport test as IBM JDK does not support SSLv2Hello on the client side", IS_IBM);
        ArrayList arrayList = new ArrayList();
        arrayList.add(Protocol.forName("TLSv1.1"));
        Assert.assertNull(performConnectionTest((SSLContext) new SSLContextBuilder().setSecurityDomain(securityDomain).setKeyManager(getKeyManager("/ca/jks/scarab.keystore")).setTrustManager(getCATrustManager()).setNeedClientAuth(true).setProtocolSelector(ProtocolSelector.empty().add(EnumSet.copyOf((Collection) arrayList))).build().create(), "protocol://test-two-way-sslv2hello.org", "wildfly-ssl-test-config-v1_6.xml", new String[]{"SSLv2Hello", "TLSv1"}, new String[]{"TLSv1.1"}, "NONE"));
    }

    private SecurityIdentity performConnectionTest(SSLContext sSLContext, String str, String str2, String[] strArr, String str3) throws Exception {
        return performConnectionTest(sSLContext, str, str2, strArr, strArr, str3);
    }

    private SecurityIdentity performConnectionTest(SSLContext sSLContext, String str, String str2, String[] strArr, String[] strArr2, String str3) throws Exception {
        System.setProperty("wildfly.config.url", SSLAuthenticationTest.class.getResource(str2).toExternalForm());
        AccessController.doPrivileged(() -> {
            return Integer.valueOf(Security.insertProviderAt(new WildFlyElytronProvider(), 1));
        });
        SSLContext sSLContext2 = ((AuthenticationContextConfigurationClient) AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION)).getSSLContext(URI.create(str), AuthenticationContext.getContextManager().get());
        SSLServerSocket sSLServerSocket = (SSLServerSocket) sSLContext.getServerSocketFactory().createServerSocket(1111, 10, InetAddress.getLoopbackAddress());
        Future submit = Executors.newSingleThreadExecutor().submit(() -> {
            try {
                try {
                    System.out.println("About to connect client");
                    SSLSocket sSLSocket = (SSLSocket) sSLContext2.getSocketFactory().createSocket(InetAddress.getLoopbackAddress(), 1111);
                    sSLSocket.getSession();
                    System.out.println("Client connected");
                    return sSLSocket;
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } catch (Throwable th) {
                System.out.println("Client connected");
                throw th;
            }
        });
        SSLSocket sSLSocket = (SSLSocket) sSLServerSocket.accept();
        SSLSession session = sSLSocket.getSession();
        SSLSocket sSLSocket2 = (SSLSocket) submit.get();
        SSLSession session2 = sSLSocket2.getSession();
        try {
            HashSet hashSet = new HashSet(Arrays.asList(sSLSocket.getEnabledProtocols()));
            HashSet hashSet2 = new HashSet(Arrays.asList(sSLSocket2.getEnabledProtocols()));
            HashSet hashSet3 = new HashSet(Arrays.asList(strArr2));
            HashSet hashSet4 = new HashSet(Arrays.asList(strArr));
            Assert.assertTrue(hashSet3.equals(hashSet));
            Assert.assertTrue(hashSet4.equals(hashSet2));
            Assert.assertEquals(str3, session.getProtocol());
            Assert.assertEquals(str3, session2.getProtocol());
            SecurityIdentity securityIdentity = (SecurityIdentity) session.getValue("org.wildfly.security.ssl.identity");
            safeClose(sSLSocket);
            safeClose(sSLSocket2);
            safeClose(sSLServerSocket);
            return securityIdentity;
        } catch (Throwable th) {
            safeClose(sSLSocket);
            safeClose(sSLSocket2);
            safeClose(sSLServerSocket);
            throw th;
        }
    }

    private static X509ExtendedKeyManager getKeyManager(String str) throws Exception {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(IS_IBM ? "IbmX509" : "SunX509");
        keyManagerFactory.init(loadKeyStore(str), PASSWORD);
        for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
            if (keyManager instanceof X509ExtendedKeyManager) {
                return (X509ExtendedKeyManager) keyManager;
            }
        }
        throw new IllegalStateException("Unable to obtain X509ExtendedKeyManager.");
    }

    private static X509TrustManager getCATrustManager() throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(IS_IBM ? "IbmX509" : "SunX509");
        trustManagerFactory.init(loadKeyStore("/ca/jks/ca.truststore"));
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("Unable to obtain X509TrustManager.");
    }

    private static KeyStore loadKeyStore() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        return keyStore;
    }

    private static KeyStore loadKeyStore(String str) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("jks");
        InputStream resourceAsStream = SSLAuthenticationTest.class.getResourceAsStream(str);
        try {
            keyStore.load(resourceAsStream, PASSWORD);
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void createTemporaryKeyStoreFile(KeyStore keyStore, File file, char[] cArr) throws Exception {
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        try {
            keyStore.store(fileOutputStream, cArr);
            fileOutputStream.close();
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void createKeyStores(File file, File file2, File file3, File file4) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        Security.addProvider(new BouncyCastleProvider());
        X500Principal x500Principal = new X500Principal("CN=Elytron CA, ST=Elytron, C=UK, EMAILADDRESS=elytron@wildfly.org, O=Root Certificate Authority");
        X500Principal x500Principal2 = new X500Principal("CN=Elytron ICA, ST=Elytron, C=UK, O=Intermediate Certificate Authority");
        X500Principal x500Principal3 = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Ladybird");
        X500Principal x500Principal4 = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Scarab");
        KeyStore loadKeyStore = loadKeyStore();
        KeyStore loadKeyStore2 = loadKeyStore();
        KeyStore loadKeyStore3 = loadKeyStore();
        KeyStore loadKeyStore4 = loadKeyStore();
        SelfSignedX509CertificateAndSigningKey build = SelfSignedX509CertificateAndSigningKey.builder().setDn(x500Principal).setKeyAlgorithmName("RSA").setSignatureAlgorithmName("SHA256withRSA").addExtension(false, "BasicConstraints", "CA:true,pathlen:2147483647").build();
        X509Certificate selfSignedCertificate = build.getSelfSignedCertificate();
        loadKeyStore.setCertificateEntry("ca", selfSignedCertificate);
        loadKeyStore2.setCertificateEntry("ca", selfSignedCertificate);
        loadKeyStore4.setCertificateEntry("mykey", selfSignedCertificate);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        generateKeyPair.getPrivate();
        new X509CertificateBuilder().setIssuerDn(x500Principal).setSubjectDn(x500Principal2).setSignatureAlgorithmName("SHA256withRSA").setSigningKey(build.getSigningKey()).setPublicKey(generateKeyPair.getPublic()).setSerialNumber(new BigInteger("6")).addExtension(new BasicConstraintsExtension(false, true, 0)).build();
        KeyPair generateKeyPair2 = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey = generateKeyPair2.getPrivate();
        X509Certificate build2 = new X509CertificateBuilder().setIssuerDn(x500Principal).setSubjectDn(x500Principal3).setSignatureAlgorithmName("SHA256withRSA").setSigningKey(build.getSigningKey()).setPublicKey(generateKeyPair2.getPublic()).setSerialNumber(new BigInteger("3")).addExtension(new BasicConstraintsExtension(false, false, -1)).build();
        loadKeyStore.setKeyEntry("ladybird", privateKey, PASSWORD, new X509Certificate[]{build2, selfSignedCertificate});
        KeyPair generateKeyPair3 = keyPairGenerator.generateKeyPair();
        PrivateKey privateKey2 = generateKeyPair3.getPrivate();
        X509Certificate build3 = new X509CertificateBuilder().setIssuerDn(x500Principal).setSubjectDn(x500Principal4).setSignatureAlgorithmName("SHA256withRSA").setSigningKey(build.getSigningKey()).setPublicKey(generateKeyPair3.getPublic()).setSerialNumber(new BigInteger("4")).addExtension(new BasicConstraintsExtension(false, false, -1)).build();
        loadKeyStore2.setKeyEntry("scarab", privateKey2, PASSWORD, new X509Certificate[]{build3, selfSignedCertificate});
        loadKeyStore3.setCertificateEntry("ladybird", build2);
        loadKeyStore3.setCertificateEntry("scarab", build3);
        createTemporaryKeyStoreFile(loadKeyStore, file, PASSWORD);
        createTemporaryKeyStoreFile(loadKeyStore2, file2, PASSWORD);
        createTemporaryKeyStoreFile(loadKeyStore3, file3, PASSWORD);
        createTemporaryKeyStoreFile(loadKeyStore4, file4, PASSWORD);
    }

    private void safeClose(Closeable closeable) {
        try {
            closeable.close();
        } catch (Exception e) {
        }
    }
}
