package at.gv.egiz.eaaf.modules.auth.sl20.utils;

import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap;
import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult;
import iaik.security.ec.provider.ECCelerate;
import iaik.security.provider.IAIK;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import org.apache.commons.lang3.RandomStringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jose4j.base64url.Base64Url;
import org.jose4j.jca.ProviderContext;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.lang.JoseException;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

@ContextConfiguration({"/spring/test_eaaf_sl20_hsm.beans.xml"})
@RunWith(SpringJUnit4ClassRunner.class)
/* loaded from: input_file:at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.class */
public abstract class AbstractJsonSecurityUtilsTest {

    @Autowired
    protected DummyAuthConfigMap config;

    @Autowired
    protected IJoseTools joseTools;

    @Autowired
    protected EaafKeyStoreFactory keyStoreFactory;

    @BeforeClass
    public static void classInitializer() {
        IAIK.addAsProvider();
        ECCelerate.addAsProvider();
        Security.addProvider(new BouncyCastleProvider());
    }

    @AfterClass
    public static final void classFinisher() {
        Security.removeProvider(IAIK.getInstance().getName());
        Security.removeProvider(ECCelerate.getInstance().getName());
    }

    protected abstract void setRsaSigningKey();

    protected abstract void setEcSigningKey();

    protected abstract void setRsaEncryptionKey();

    protected abstract void setEcEncryptionKey();

    protected abstract Pair<KeyStore, Provider> getEncryptionKeyStore() throws EaafException;

    protected abstract String getRsaKeyAlias();

    protected abstract String getRsaKeyPassword();

    protected abstract String getEcKeyAlias();

    protected abstract String getEcKeyPassword();

    @Test
    public void fullEncryptDecrypt() throws JoseException, EaafException {
        String str = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue("ECDH-ES+A256KW");
        jsonWebEncryption.setEncryptionMethodHeaderParameter("A128GCM");
        jsonWebEncryption.setKey(JoseUtils.convertToBcKeyIfRequired(this.joseTools.getEncryptionCertificate().getPublicKey()));
        jsonWebEncryption.setX509CertSha256ThumbprintHeaderValue(this.joseTools.getEncryptionCertificate());
        jsonWebEncryption.setPayload(str);
        Pair<KeyStore, Provider> encryptionKeyStore = getEncryptionKeyStore();
        if (encryptionKeyStore.getSecond() != null) {
            ProviderContext providerContext = new ProviderContext();
            providerContext.getSuppliedKeyProviderContext().setSignatureProvider(((Provider) encryptionKeyStore.getSecond()).getName());
            providerContext.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption.setProviderContext(providerContext);
        } else {
            ProviderContext providerContext2 = new ProviderContext();
            providerContext2.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption.setProviderContext(providerContext2);
        }
        String compactSerialization = jsonWebEncryption.getCompactSerialization();
        Assert.assertNotNull("JWE Encryption", compactSerialization);
        Assert.assertNotNull("JWE Decryption", this.joseTools.decryptPayload(compactSerialization));
    }

    @Test
    public void encryptionRsa() throws JoseException, EaafException {
        String str = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
        Pair<KeyStore, Provider> encryptionKeyStore = getEncryptionKeyStore();
        Pair privateKeyAndCertificates = EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) encryptionKeyStore.getFirst(), getRsaKeyAlias(), getRsaKeyPassword().toCharArray(), true, "jUnit RSA JWE");
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue("RSA-OAEP-256");
        jsonWebEncryption.setEncryptionMethodHeaderParameter("A128GCM");
        jsonWebEncryption.setKey(((X509Certificate[]) privateKeyAndCertificates.getSecond())[0].getPublicKey());
        jsonWebEncryption.setPayload(str);
        if (encryptionKeyStore.getSecond() != null) {
            ProviderContext providerContext = new ProviderContext();
            providerContext.getSuppliedKeyProviderContext().setSignatureProvider(((Provider) encryptionKeyStore.getSecond()).getName());
            jsonWebEncryption.setProviderContext(providerContext);
        }
        Assert.assertNotNull("JWE", jsonWebEncryption.getCompactSerialization());
    }

    @Test
    public void encryptionEc() throws JoseException, EaafException {
        String str = "{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}";
        Pair<KeyStore, Provider> encryptionKeyStore = getEncryptionKeyStore();
        Pair privateKeyAndCertificates = EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) encryptionKeyStore.getFirst(), getEcKeyAlias(), getEcKeyPassword().toCharArray(), true, "jUnit RSA JWE");
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue("ECDH-ES+A256KW");
        jsonWebEncryption.setEncryptionMethodHeaderParameter("A128GCM");
        jsonWebEncryption.setKey(JoseUtils.convertToBcKeyIfRequired(((X509Certificate[]) privateKeyAndCertificates.getSecond())[0].getPublicKey()));
        jsonWebEncryption.setPayload(str);
        if (encryptionKeyStore.getSecond() != null) {
            ProviderContext providerContext = new ProviderContext();
            providerContext.getSuppliedKeyProviderContext().setGeneralProvider(((Provider) encryptionKeyStore.getSecond()).getName());
            providerContext.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption.setProviderContext(providerContext);
        } else {
            ProviderContext providerContext2 = new ProviderContext();
            providerContext2.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption.setProviderContext(providerContext2);
        }
        String compactSerialization = jsonWebEncryption.getCompactSerialization();
        Assert.assertNotNull("JWE", compactSerialization);
        JsonWebEncryption jsonWebEncryption2 = new JsonWebEncryption();
        jsonWebEncryption2.setCompactSerialization(compactSerialization);
        jsonWebEncryption2.setKey(JoseUtils.convertToBcKeyIfRequired((Key) privateKeyAndCertificates.getFirst()));
        if (encryptionKeyStore.getSecond() != null) {
            ProviderContext providerContext3 = new ProviderContext();
            providerContext3.getSuppliedKeyProviderContext().setGeneralProvider(((Provider) encryptionKeyStore.getSecond()).getName());
            providerContext3.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption2.setProviderContext(providerContext3);
        } else {
            ProviderContext providerContext4 = new ProviderContext();
            providerContext4.getGeneralProviderContext().setGeneralProvider("BC");
            jsonWebEncryption2.setProviderContext(providerContext4);
        }
        String payload = jsonWebEncryption2.getPayload();
        Assert.assertNotNull("decrypted Payload", payload);
        Assert.assertEquals("Decrypted message not match", str, payload);
    }

    @Test
    public void noTrustedCert() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException {
        setRsaSigningKey();
        setRsaEncryptionKey();
        String createSignature = this.joseTools.createSignature("{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}");
        Assert.assertNotNull("Signed msg", createSignature);
        try {
            this.joseTools.validateSignature(createSignature, (KeyStore) this.keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigOnlyEc()).getFirst(), getDefaultAlgorithmConstrains());
            Assert.fail("Wrong JOSE Sig not detected");
        } catch (JoseException e) {
            Assert.assertEquals("Wrong errorCode", "Can NOT select verification key for JWS. Signature verification FAILED", e.getMessage());
        }
    }

    @Test
    public void invalidSignature() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException {
        setRsaSigningKey();
        setRsaEncryptionKey();
        String createSignature = this.joseTools.createSignature("{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}");
        Assert.assertNotNull("Signed msg", createSignature);
        Assert.assertFalse("wrong sig. verification state", this.joseTools.validateSignature(createSignature.substring(0, createSignature.indexOf(".")) + "." + Base64Url.encodeUtf8ByteRepresentation("{\"aac\":\"" + RandomStringUtils.randomAlphabetic(25) + "\"}") + "." + createSignature.substring(createSignature.lastIndexOf(".") + 1), (KeyStore) this.keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), getDefaultAlgorithmConstrains()).isValidSigned().booleanValue());
    }

    @Test
    public void validSigningRsa() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException {
        setRsaSigningKey();
        setRsaEncryptionKey();
        String createSignature = this.joseTools.createSignature("{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}");
        Assert.assertNotNull("Signed msg", createSignature);
        VerificationResult validateSignature = this.joseTools.validateSignature(createSignature, (KeyStore) this.keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), getDefaultAlgorithmConstrains());
        Assert.assertTrue("wrong verify state", validateSignature.isValidSigned().booleanValue());
        Assert.assertNotNull("JWS Header", validateSignature.getJoseHeader());
        Assert.assertNotNull("JWS Payload", validateSignature.getPayload());
        Assert.assertNotNull("CertChain", validateSignature.getCertChain());
    }

    @Test
    public void validSigningRsaPss() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException {
        this.config.putConfigValue("modules.sl20.security.sigalg.rsa", "PS256");
        setRsaSigningKey();
        setRsaEncryptionKey();
        String createSignature = this.joseTools.createSignature("{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}");
        Assert.assertNotNull("Signed msg", createSignature);
        VerificationResult validateSignature = this.joseTools.validateSignature(createSignature, (KeyStore) this.keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), getDefaultAlgorithmConstrains());
        Assert.assertTrue("wrong verify state", validateSignature.isValidSigned().booleanValue());
        Assert.assertNotNull("JWS Header", validateSignature.getJoseHeader());
        Assert.assertNotNull("JWS Payload", validateSignature.getPayload());
        Assert.assertNotNull("CertChain", validateSignature.getCertChain());
    }

    @Test
    public void validSigningEc() throws CertificateEncodingException, KeyStoreException, JoseException, IOException, EaafException {
        setEcSigningKey();
        setEcEncryptionKey();
        String createSignature = this.joseTools.createSignature("{\"aac\":\"" + RandomStringUtils.randomAlphanumeric(100) + "\"}");
        Assert.assertNotNull("Signed msg", createSignature);
        VerificationResult validateSignature = this.joseTools.validateSignature(createSignature, (KeyStore) this.keyStoreFactory.buildNewKeyStore(getSigTrustStoreConfigValid()).getFirst(), getDefaultAlgorithmConstrains());
        Assert.assertTrue("wrong verify state", validateSignature.isValidSigned().booleanValue());
        Assert.assertNotNull("JWS Header", validateSignature.getJoseHeader());
        Assert.assertNotNull("JWS Payload", validateSignature.getPayload());
        Assert.assertNotNull("CertChain", validateSignature.getCertChain());
    }

    protected KeyStoreConfiguration getSigTrustStoreConfigValid() {
        KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
        keyStoreConfiguration.setFriendlyName("jUnit TrustStore");
        keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
        keyStoreConfiguration.setSoftKeyStoreFilePath("src/test/resources/data/junit.jks");
        keyStoreConfiguration.setSoftKeyStorePassword("password");
        return keyStoreConfiguration;
    }

    protected KeyStoreConfiguration getSigTrustStoreConfigOnlyEc() {
        KeyStoreConfiguration keyStoreConfiguration = new KeyStoreConfiguration();
        keyStoreConfiguration.setFriendlyName("jUnit TrustStore");
        keyStoreConfiguration.setKeyStoreType(KeyStoreConfiguration.KeyStoreType.JKS);
        keyStoreConfiguration.setSoftKeyStoreFilePath("src/test/resources/data/junit_no_rsa.jks");
        keyStoreConfiguration.setSoftKeyStorePassword("password");
        return keyStoreConfiguration;
    }

    private AlgorithmConstraints getDefaultAlgorithmConstrains() {
        return new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()]));
    }
}
