package net.jsign.jca;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStoreException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Base64;
import java.util.function.Function;
import net.jadler.Jadler;
import net.jsign.DigestAlgorithm;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:net/jsign/jca/HashiCorpVaultSigningServiceTest.class */
public class HashiCorpVaultSigningServiceTest {
    @Before
    public void setUp() {
        Jadler.initJadler().withDefaultResponseStatus(404);
    }

    @After
    public void tearDown() {
        Jadler.closeJadler();
    }

    @Test
    public void testGetCertificateChain() throws Exception {
        Assert.assertNotNull("chain", new HashiCorpVaultSigningService("http://localhost:" + Jadler.port() + "/", "token", str -> {
            try {
                FileInputStream fileInputStream = new FileInputStream("target/test-classes/keystores/jsign-test-certificate-full-chain.pem");
                Throwable th = null;
                try {
                    try {
                        Certificate[] certificateArr = (Certificate[]) CertificateFactory.getInstance("X.509").generateCertificates(fileInputStream).toArray(new Certificate[0]);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        return certificateArr;
                    } finally {
                    }
                } finally {
                }
            } catch (IOException | CertificateException e) {
                throw new RuntimeException("Failed to load the certificate", e);
            }
        }).getCertificateChain("key1"));
        Assert.assertEquals("number of certificates", 3L, r0.length);
    }

    @Test
    public void testGetAliases() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys").havingQueryStringEqualTo("list=true").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"keys\": [\"key1\", \"key2\", \"key3\"]  }}");
        Assert.assertEquals("aliases", Arrays.asList("key1", "key2", "key3"), new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null).aliases());
    }

    @Test
    public void testGetAliasesError() {
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        hashiCorpVaultSigningService.getClass();
        Assert.assertThrows(KeyStoreException.class, hashiCorpVaultSigningService::aliases);
    }

    @Test
    public void testMissingKeyVersion() {
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        Assert.assertEquals("message", "Unable to fetch HashiCorp Vault private key 'key1' (missing key version)", ((Exception) Assert.assertThrows(UnrecoverableKeyException.class, () -> {
            hashiCorpVaultSigningService.getPrivateKey("key1", (char[]) null);
        })).getMessage());
    }

    @Test
    public void testGetPrivateKeyGCPKMS() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"id\": \"projects/first-rain-123/locations/global/keyRings/mykeyring/cryptoKeys/key1\",     \"algorithm\": \"rsa_sign_pkcs1_2048_sha256\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        SigningServicePrivateKey privateKey = hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null);
        Assert.assertNotNull("privateKey", privateKey);
        Assert.assertEquals("keyId", "key1:7", privateKey.getId());
        Assert.assertEquals("algorithm", "RSA", privateKey.getAlgorithm());
        Assert.assertSame("privateKey", privateKey, hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null));
    }

    @Test
    public void testGetPrivateKeyTransit() throws Exception {
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"type\": \"rsa-2048\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        SigningServicePrivateKey privateKey = hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null);
        Assert.assertNotNull("privateKey", privateKey);
        Assert.assertEquals("keyId", "key1:7", privateKey.getId());
        Assert.assertEquals("algorithm", "RSA", privateKey.getAlgorithm());
        Assert.assertSame("privateKey", privateKey, hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null));
    }

    @Test
    public void testGetPrivateKeyError() {
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        Assert.assertEquals("message", "Unable to fetch HashiCorp Vault private key 'key1:7'", ((Exception) Assert.assertThrows(UnrecoverableKeyException.class, () -> {
            hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null);
        })).getMessage());
    }

    @Test
    public void testSignGCPKMS() throws Exception {
        byte[] bytes = "0123456789ABCDEF0123456789ABCDEF".getBytes();
        byte[] digest = DigestAlgorithm.SHA256.getMessageDigest().digest(bytes);
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"id\": \"projects/first-rain-123/locations/global/keyRings/mykeyring/cryptoKeys/key1\",     \"algorithm\": \"rsa_sign_pkcs1_2048_sha256\"  }}");
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/sign/key1").havingHeaderEqualTo("Authorization", "Bearer token").havingBodyEqualTo("{\"key_version\":\"7\",\"digest\":\"" + Base64.getEncoder().encodeToString(digest) + "\"}").respond().withStatus(200).withBody("{  \"data\": {    \"signature\": \"" + Base64.getEncoder().encodeToString(new byte[32]) + "\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        byte[] sign = hashiCorpVaultSigningService.sign(hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null), "SHA256withRSA", bytes);
        Assert.assertNotNull("signature", sign);
        Assert.assertArrayEquals("signature", new byte[32], sign);
    }

    @Test
    public void testSignTransit() throws Exception {
        byte[] bytes = "0123456789ABCDEF0123456789ABCDEF".getBytes();
        byte[] digest = DigestAlgorithm.SHA384.getMessageDigest().digest(bytes);
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"type\": \"rsa-2048\"  }}");
        Jadler.onRequest().havingMethodEqualTo("POST").havingPathEqualTo("/sign/key1").havingHeaderEqualTo("Authorization", "Bearer token").havingBodyEqualTo("{\"prehashed\":true,\"input\":\"" + Base64.getEncoder().encodeToString(digest) + "\",\"key_version\":\"7\",\"hash_algorithm\":\"sha2-384\",\"signature_algorithm\":\"pkcs1v15\"}").respond().withStatus(200).withBody("{  \"data\": {    \"signature\": \"vault:v7:" + Base64.getEncoder().encodeToString(new byte[32]) + "\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        Assert.assertNotNull("signature", hashiCorpVaultSigningService.sign(hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null), "SHA384withRSA", bytes));
    }

    @Test
    public void testSignErrorGCPKMS() throws Exception {
        byte[] bytes = "0123456789ABCDEF0123456789ABCDEF".getBytes();
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"id\": \"projects/first-rain-123/locations/global/keyRings/mykeyring/cryptoKeys/key1\",     \"algorithm\": \"rsa_sign_pkcs1_2048_sha256\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        SigningServicePrivateKey privateKey = hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null);
        Assert.assertThrows(GeneralSecurityException.class, () -> {
            hashiCorpVaultSigningService.sign(privateKey, "SHA256withRSA", bytes);
        });
    }

    @Test
    public void testSignErrorTransit() throws Exception {
        byte[] bytes = "0123456789ABCDEF0123456789ABCDEF".getBytes();
        Jadler.onRequest().havingMethodEqualTo("GET").havingPathEqualTo("/keys/key1").havingHeaderEqualTo("Authorization", "Bearer token").respond().withStatus(200).withBody("{  \"data\": {    \"type\": \"rsa-2048\"  }}");
        HashiCorpVaultSigningService hashiCorpVaultSigningService = new HashiCorpVaultSigningService("http://localhost:" + Jadler.port(), "token", (Function) null);
        SigningServicePrivateKey privateKey = hashiCorpVaultSigningService.getPrivateKey("key1:7", (char[]) null);
        Assert.assertThrows(GeneralSecurityException.class, () -> {
            hashiCorpVaultSigningService.sign(privateKey, "SHA256withRSA", bytes);
        });
    }
}
