package net.jsign.jca;

import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.function.Function;
import net.jadler.Jadler;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.MockedStatic;
import org.mockito.Mockito;
import sun.net.www.MessageHeader;
import sun.net.www.protocol.https.HttpsURLConnectionImpl;

/* loaded from: input_file:net/jsign/jca/AmazonSigningServiceTest.class */
public class AmazonSigningServiceTest {
    @Before
    public void setUp() {
        Jadler.initJadler().withDefaultResponseStatus(404);
    }

    @After
    public void tearDown() {
        Jadler.closeJadler();
    }

    private SigningService getTestService() {
        AmazonCredentials amazonCredentials = new AmazonCredentials("accessKey", "secretKey", (String) null);
        return new AmazonSigningService(() -> {
            return amazonCredentials;
        }, str -> {
            try {
                FileInputStream fileInputStream = new FileInputStream("target/test-classes/keystores/jsign-test-certificate-full-chain.pem");
                Throwable th = null;
                try {
                    try {
                        Certificate[] certificateArr = (Certificate[]) CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream).toArray(new Certificate[0]);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        return certificateArr;
                    } finally {
                    }
                } finally {
                }
            } catch (IOException | CertificateException e) {
                throw new RuntimeException("Failed to load the certificate", e);
            }
        }, "http://localhost:" + Jadler.port());
    }

    @Test
    public void testGetAliases() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.ListKeys").respond().withStatus(200).withContentType("application/x-amz-json-1.1").withBody(new FileReader("target/test-classes/services/aws-listkeys.json"));
        Assert.assertEquals("aliases", Arrays.asList("2d9ca5b0-6d51-4727-9dfc-186e62e4c5e2", "935ecb66-5c06-495b-babe-5798b1c0e1a8"), getTestService().aliases());
    }

    @Test
    public void testGetAliasesWithError() {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.ListKeys").respond().withStatus(400).withContentType("application/x-amz-json-1.1").withBody("{\"__type\":\"UnrecognizedClientException\",\"message\":\"The security token included in the request is invalid.\"}");
        SigningService testService = getTestService();
        testService.getClass();
        Assert.assertEquals("message", "UnrecognizedClientException: The security token included in the request is invalid.", ((Exception) Assert.assertThrows(KeyStoreException.class, testService::aliases)).getCause().getMessage());
    }

    @Test
    public void testGetCertificateChain() throws Exception {
        Assert.assertNotNull("chain", getTestService().getCertificateChain("key1"));
        Assert.assertEquals("number of certificates", 3L, r0.length);
    }

    @Test
    public void testGetPrivateKeyRSA() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-rsa.json"));
        SigningService testService = getTestService();
        SigningServicePrivateKey privateKey = testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        Assert.assertNotNull("null key", privateKey);
        Assert.assertEquals("id", "jsign-rsa-2048", privateKey.getId());
        Assert.assertEquals("algorithm", "RSA", privateKey.getAlgorithm());
        Assert.assertSame("private key not cached", privateKey, testService.getPrivateKey("jsign-rsa-2048", (char[]) null));
    }

    @Test
    public void testGetPrivateKeyEC() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-ec.json"));
        SigningService testService = getTestService();
        SigningServicePrivateKey privateKey = testService.getPrivateKey("jsign-ec-384", (char[]) null);
        Assert.assertNotNull("null key", privateKey);
        Assert.assertEquals("id", "jsign-ec-384", privateKey.getId());
        Assert.assertEquals("algorithm", "EC", privateKey.getAlgorithm());
        Assert.assertSame("private key not cached", privateKey, testService.getPrivateKey("jsign-ec-384", (char[]) null));
    }

    @Test
    public void testGetPrivateKeyDisabled() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-disabled.json"));
        SigningService testService = getTestService();
        Assert.assertEquals("message", "The key 'jsign-rsa-2048' is not enabled (PendingImport)", ((Exception) Assert.assertThrows(UnrecoverableKeyException.class, () -> {
            testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        })).getMessage());
    }

    @Test
    public void testGetPrivateKeyWithWrongUsage() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-encrypt.json"));
        SigningService testService = getTestService();
        Assert.assertEquals("message", "The key 'jsign-rsa-2048' is not a signing key", ((Exception) Assert.assertThrows(UnrecoverableKeyException.class, () -> {
            testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        })).getMessage());
    }

    @Test
    public void testGetPrivateKeyWithError() {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(400).withContentType("application/json").withBody("{\"__type\":\"NotFoundException\",\"message\":\"Alias arn:aws:kms:eu-west-3:829022948260:alias/jsign-rsa-2048 is not found.\"}");
        SigningService testService = getTestService();
        Assert.assertEquals("message", "NotFoundException: Alias arn:aws:kms:eu-west-3:829022948260:alias/jsign-rsa-2048 is not found.", ((Exception) Assert.assertThrows(UnrecoverableKeyException.class, () -> {
            testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        })).getCause().getMessage());
    }

    @Test
    public void testSign() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-rsa.json"));
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.Sign").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-sign.json"));
        SigningService testService = getTestService();
        Assert.assertEquals("signature", "MiZ/YXfluqyuMfR3cnChG7+K7JmU2b8SzBAc6+WOpWQwIV4GfkLcRe0A68H45Lf+XPiMPPLrs7EqOv1EAnkYDFx5AqZBTWBfoaBeqKpy30OBvNbxIsaTLsaJYGypwmHOUTP+Djz7FxQUyM0uWVfUnHUDT564gQLz0cta6PKE/oMUo9fZhpv5VQcgfrbdUlPaD/cSAOb833ZSRzPWbnqztWO6py5sUugvqGFHKhsEXesx5yrPvJTKu5HVF3QM3E8YrgnVfFK14W8oyTJmXIWQxfYpwm/CW037UmolDMqwc3mjx1758kR+9lOcf8c/LSmD/SVD18SDSK4FyLQWOmn16A==", Base64.getEncoder().encodeToString(testService.sign(testService.getPrivateKey("jsign-rsa-2048", (char[]) null), "SHA256withRSA", "Hello".getBytes())));
    }

    @Test
    public void testSignWithInvalidAlgorithm() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-rsa.json"));
        SigningService testService = getTestService();
        SigningServicePrivateKey privateKey = testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        Assert.assertEquals("message", "Unsupported signing algorithm: SHA1withRSA", ((Exception) Assert.assertThrows(GeneralSecurityException.class, () -> {
            testService.sign(privateKey, "SHA1withRSA", "Hello".getBytes());
        })).getMessage());
    }

    @Test
    public void testSignWithError() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.DescribeKey").respond().withStatus(200).withContentType("application/json").withBody(new FileReader("target/test-classes/services/aws-describekey-rsa.json"));
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/").havingHeaderEqualTo("X-Amz-Target", "TrentService.Sign").respond().withStatus(400).withContentType("application/json").withBody("{\"__type\":\"KMSInvalidStateException\",\"message\":\"arn:aws:kms:eu-west-3:829022948260:key/935ecb66-5c06-495b-babe-5798b1c0e1a8 is pending deletion.\"}");
        SigningService testService = getTestService();
        SigningServicePrivateKey privateKey = testService.getPrivateKey("jsign-rsa-2048", (char[]) null);
        Assert.assertEquals("message", "KMSInvalidStateException: arn:aws:kms:eu-west-3:829022948260:key/935ecb66-5c06-495b-babe-5798b1c0e1a8 is pending deletion.", ((Exception) Assert.assertThrows(GeneralSecurityException.class, () -> {
            testService.sign(privateKey, "SHA256withRSA", "Hello".getBytes());
        })).getCause().getMessage());
    }

    @Test
    public void testSignRequestWithoutSessionToken() throws Exception {
        testSignRequest(false);
    }

    @Test
    public void testSignRequestWithSessionToken() throws Exception {
        testSignRequest(true);
    }

    public void testSignRequest(boolean z) throws Exception {
        AmazonCredentials amazonCredentials = new AmazonCredentials("accessKey", "secretKey", z ? "sessionToken" : null);
        AmazonSigningService amazonSigningService = new AmazonSigningService("eu-west-3", amazonCredentials, (Function) null);
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("https://kms.eu-west-3.amazonaws.com").openConnection();
        httpURLConnection.setRequestMethod("POST");
        httpURLConnection.setRequestProperty("User-Agent", "Jsign (https://ebourg.github.io/jsign/)");
        httpURLConnection.setRequestProperty("X-Amz-Target", "TrentService.ListKeys");
        httpURLConnection.setRequestProperty("Content-Type", "application/x-amz-json-1.1");
        amazonSigningService.sign(httpURLConnection, amazonCredentials, "{}".getBytes(), new Date(0L));
        Assert.assertEquals("X-Amz-Date", "19700101T000000Z", httpURLConnection.getRequestProperty("X-Amz-Date"));
        Assert.assertEquals("X-Amz-Security-Token", amazonCredentials.getSessionToken(), httpURLConnection.getRequestProperty("X-Amz-Security-Token"));
        Assert.assertEquals("Authorization", "AWS4-HMAC-SHA256 Credential=accessKey/19700101/eu-west-3/kms/aws4_request, SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, Signature=6247e3c7f2e50e806e32843924b94c860b6a3721fd12f9b99d8d8d140795e4c5", getAuthorizationHeaderValue(httpURLConnection));
    }

    private String getAuthorizationHeaderValue(HttpURLConnection httpURLConnection) throws Exception {
        Field declaredField = HttpsURLConnectionImpl.class.getDeclaredField("delegate");
        Field declaredField2 = sun.net.www.protocol.http.HttpURLConnection.class.getDeclaredField("requests");
        AccessibleObject.setAccessible(new Field[]{declaredField, declaredField2}, true);
        return ((MessageHeader) declaredField2.get(declaredField.get(httpURLConnection))).findValue("Authorization");
    }

    @Test
    public void testGetEndpointUrl() {
        MockedStatic mockStatic = Mockito.mockStatic(AmazonSigningService.class, Mockito.CALLS_REAL_METHODS);
        Throwable th = null;
        try {
            Mockito.when(AmazonSigningService.getenv("AWS_USE_FIPS_ENDPOINT")).thenReturn("false");
            Assert.assertEquals("https://kms.us-west-2.amazonaws.com", AmazonSigningService.getEndpointUrl("us-west-2"));
            if (mockStatic != null) {
                if (0 != 0) {
                    try {
                        mockStatic.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    mockStatic.close();
                }
            }
            MockedStatic mockStatic2 = Mockito.mockStatic(AmazonSigningService.class, Mockito.CALLS_REAL_METHODS);
            Throwable th3 = null;
            try {
                Mockito.when(AmazonSigningService.getenv("AWS_USE_FIPS_ENDPOINT")).thenReturn("true");
                Assert.assertEquals("https://kms-fips.us-west-2.amazonaws.com", AmazonSigningService.getEndpointUrl("us-west-2"));
                if (mockStatic2 != null) {
                    if (0 == 0) {
                        mockStatic2.close();
                        return;
                    }
                    try {
                        mockStatic2.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
            } catch (Throwable th5) {
                if (mockStatic2 != null) {
                    if (0 != 0) {
                        try {
                            mockStatic2.close();
                        } catch (Throwable th6) {
                            th3.addSuppressed(th6);
                        }
                    } else {
                        mockStatic2.close();
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (mockStatic != null) {
                if (0 != 0) {
                    try {
                        mockStatic.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    mockStatic.close();
                }
            }
            throw th7;
        }
    }
}
