package org.eclipse.sensinact.gateway.southbound.mqtt.test;

import io.moquette.broker.Server;
import io.moquette.broker.config.MemoryConfig;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLHandshakeException;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;
import org.eclipse.paho.client.mqttv3.MqttClient;
import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
import org.eclipse.paho.client.mqttv3.MqttException;
import org.eclipse.sensinact.gateway.southbound.mqtt.api.IMqttMessage;
import org.eclipse.sensinact.gateway.southbound.mqtt.api.IMqttMessageListener;
import org.eclipse.sensinact.gateway.southbound.mqtt.impl.MqttClientConfiguration;
import org.eclipse.sensinact.gateway.southbound.mqtt.impl.MqttClientHandler;
import org.eclipse.sensinact.gateway.southbound.mqtt.impl.SSLUtils;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/sensinact/gateway/southbound/mqtt/test/MqttSslAuthTest.class */
public class MqttSslAuthTest {
    private static final String SERVER_CERT_P12 = "src/test/resources/server.p12";
    private static final String SERVER_CERT_PASS = "secret";
    private static final String CLIENT_CERT_P12 = "src/test/resources/client.p12";
    private static final String CLIENT_CERT_PEM = "src/test/resources/client.pem";
    private static final String CLIENT_CERT_KEY_PEM = "src/test/resources/client.key";
    private static final String CLIENT_CERT_UNSIGNED_P12 = "src/test/resources/client_unsigned.p12";
    private static final String CLIENT_CERT_UNSIGNED_WITH_CA_P12 = "src/test/resources/client_unsigned_with_ca.p12";
    private static final String CLIENT_CERT_PASS = "titi21";
    private static final String TRUST_CERT_P12 = "src/test/resources/ca.p12";
    private static final String TRUST_CERT_PEM = "src/test/resources/ca.pem";
    private static final String TRUST_CERT_PASS = "secret";
    private MqttClient client;
    private Server server;
    private final List<MqttClientHandler> handlers = new ArrayList();
    final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/sensinact/gateway/southbound/mqtt/test/MqttSslAuthTest$CertificateKeyPair.class */
    public static class CertificateKeyPair {
        private KeyPair keypair;
        private Certificate certificate;

        private CertificateKeyPair() {
        }
    }

    @BeforeAll
    static void generateCertificates() throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X509Certificate generateSelfSignedCertificate = generateSelfSignedCertificate(makeName("Certificate Authority", "ca"), generateKeyPair, true);
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null);
        keyStore.setCertificateEntry("ca", generateSelfSignedCertificate);
        FileOutputStream fileOutputStream = new FileOutputStream(TRUST_CERT_P12);
        try {
            keyStore.store(fileOutputStream, "secret".toCharArray());
            fileOutputStream.close();
            writePemCertificate(generateSelfSignedCertificate, TRUST_CERT_PEM);
            makeSignedKeystore("localhost", "server", SERVER_CERT_P12, "secret", generateKeyPair, generateSelfSignedCertificate);
            CertificateKeyPair makeSignedKeystore = makeSignedKeystore("Signed Client", "client", CLIENT_CERT_P12, CLIENT_CERT_PASS, generateKeyPair, generateSelfSignedCertificate);
            writePemCertificate(makeSignedKeystore.certificate, CLIENT_CERT_PEM);
            writePemPrivateKey(makeSignedKeystore.keypair.getPrivate(), CLIENT_CERT_KEY_PEM);
            makeUnsignedKeyStore("Self-Signed Client", "client", CLIENT_CERT_UNSIGNED_P12, CLIENT_CERT_PASS);
            KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
            FileInputStream fileInputStream = new FileInputStream(CLIENT_CERT_UNSIGNED_P12);
            try {
                keyStore2.load(fileInputStream, CLIENT_CERT_PASS.toCharArray());
                fileInputStream.close();
                keyStore2.setCertificateEntry("ca", generateSelfSignedCertificate);
                fileOutputStream = new FileOutputStream(CLIENT_CERT_UNSIGNED_WITH_CA_P12);
                try {
                    keyStore2.store(fileOutputStream, CLIENT_CERT_PASS.toCharArray());
                    fileOutputStream.close();
                } finally {
                }
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } finally {
        }
    }

    @AfterAll
    static void cleanupCertificates() {
        Iterator it = Arrays.asList(SERVER_CERT_P12, CLIENT_CERT_P12, CLIENT_CERT_KEY_PEM, CLIENT_CERT_PEM, CLIENT_CERT_UNSIGNED_P12, CLIENT_CERT_UNSIGNED_WITH_CA_P12, TRUST_CERT_P12, TRUST_CERT_PEM).iterator();
        while (it.hasNext()) {
            try {
                Files.deleteIfExists(Paths.get((String) it.next(), new String[0]));
            } catch (IOException e) {
            }
        }
    }

    static X500Name makeName(String str, String str2) {
        return new X500Name(String.format("C=FR, O=Test, OU=%s, CN=%s", str2, str));
    }

    static CertificateKeyPair makeSignedKeystore(String str, String str2, String str3, String str4, KeyPair keyPair, X509Certificate x509Certificate) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X509Certificate signCSR = signCSR(new JcaPKCS10CertificationRequestBuilder(makeName(str, str2), generateKeyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256withRSA").build(generateKeyPair.getPrivate())), keyPair, x509Certificate);
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, str4.toCharArray());
        keyStore.setCertificateEntry("ca", x509Certificate);
        keyStore.setKeyEntry(str2, generateKeyPair.getPrivate(), str4.toCharArray(), new X509Certificate[]{signCSR, x509Certificate});
        FileOutputStream fileOutputStream = new FileOutputStream(str3);
        try {
            keyStore.store(fileOutputStream, str4.toCharArray());
            fileOutputStream.close();
            CertificateKeyPair certificateKeyPair = new CertificateKeyPair();
            certificateKeyPair.certificate = signCSR;
            certificateKeyPair.keypair = generateKeyPair;
            return certificateKeyPair;
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static void makeUnsignedKeyStore(String str, String str2, String str3, String str4) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        X509Certificate generateSelfSignedCertificate = generateSelfSignedCertificate(makeName(str, str2), generateKeyPair, false);
        keyStore.load(null);
        keyStore.setKeyEntry("client_unsigned", generateKeyPair.getPrivate(), CLIENT_CERT_PASS.toCharArray(), new X509Certificate[]{generateSelfSignedCertificate});
        FileOutputStream fileOutputStream = new FileOutputStream(str3);
        try {
            keyStore.store(fileOutputStream, str4.toCharArray());
            fileOutputStream.close();
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    static X509Certificate generateSelfSignedCertificate(X500Name x500Name, KeyPair keyPair, boolean z) throws Exception {
        long currentTimeMillis = System.currentTimeMillis();
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.valueOf(currentTimeMillis), new Date(System.currentTimeMillis() - 86400000), new Date(System.currentTimeMillis() + 86400000), x500Name, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
        jcaX509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(z));
        return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate())));
    }

    static X509Certificate signCSR(PKCS10CertificationRequest pKCS10CertificationRequest, KeyPair keyPair, X509Certificate x509Certificate) throws Exception {
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
        AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
        AsymmetricKeyParameter createKey = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded());
        return new JcaX509CertificateConverter().getCertificate(new X509v3CertificateBuilder(new X509CertificateHolder(x509Certificate.getEncoded()).getSubject(), BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis() - 86400000), new Date(System.currentTimeMillis() + 86400000), pKCS10CertificationRequest.getSubject(), pKCS10CertificationRequest.getSubjectPublicKeyInfo()).build(new BcRSAContentSignerBuilder(find, find2).build(createKey)));
    }

    private static void writePemCertificate(Certificate certificate, String str) throws FileNotFoundException, IOException, CertificateEncodingException {
        PemWriter pemWriter = new PemWriter(new OutputStreamWriter(new FileOutputStream(str)));
        try {
            pemWriter.writeObject(new PemObject("CERTIFICATE", certificate.getEncoded()));
            pemWriter.close();
        } catch (Throwable th) {
            try {
                pemWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void writePemPrivateKey(PrivateKey privateKey, String str) throws FileNotFoundException, IOException {
        String algorithm = privateKey.getAlgorithm();
        if (algorithm == null) {
            algorithm = "";
        }
        PemWriter pemWriter = new PemWriter(new OutputStreamWriter(new FileOutputStream(str)));
        try {
            pemWriter.writeObject(new PemObject(algorithm + " PRIVATE KEY", privateKey.getEncoded()));
            pemWriter.close();
        } catch (Throwable th) {
            try {
                pemWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @BeforeEach
    void start() throws Exception {
        this.server = new Server();
        MemoryConfig memoryConfig = new MemoryConfig(new Properties());
        memoryConfig.setProperty("host", "localhost");
        memoryConfig.setProperty("port", "disabled");
        memoryConfig.setProperty("ssl_port", "2183");
        memoryConfig.setProperty("key_store_type", "PKCS12");
        memoryConfig.setProperty("jks_path", SERVER_CERT_P12);
        memoryConfig.setProperty("key_store_password", "secret");
        memoryConfig.setProperty("key_manager_password", "secret");
        memoryConfig.setProperty("need_client_auth", "true");
        this.server.startServer(memoryConfig);
        this.client = new MqttClient("ssl://localhost:2183", MqttClient.generateClientId());
        MqttConnectOptions mqttConnectOptions = new MqttConnectOptions();
        mqttConnectOptions.setCleanSession(true);
        mqttConnectOptions.setSocketFactory(SSLUtils.setupSSLSocketFactory(makeSslKeystoreConfig(CLIENT_CERT_P12, CLIENT_CERT_PASS, TRUST_CERT_P12, "secret")));
        this.client.connect(mqttConnectOptions);
    }

    @AfterEach
    void stop() throws Exception {
        try {
            if (this.client.isConnected()) {
                this.client.disconnect();
            }
            this.client.close();
            Iterator<MqttClientHandler> it = this.handlers.iterator();
            while (it.hasNext()) {
                it.next().deactivate();
            }
        } finally {
            this.server.stopServer();
        }
    }

    MqttClientConfiguration makeSslKeystoreConfig(String str, String str2, String str3, String str4) {
        MqttClientConfiguration mqttClientConfiguration = (MqttClientConfiguration) Mockito.mock(MqttClientConfiguration.class);
        Mockito.when(mqttClientConfiguration.auth_keystore_type()).thenReturn("PKCS12");
        Mockito.when(mqttClientConfiguration.auth_keystore_path()).thenReturn(str);
        Mockito.when(mqttClientConfiguration._auth_keystore_password()).thenReturn(str2);
        Mockito.when(mqttClientConfiguration.auth_truststore_path()).thenReturn(str3);
        Mockito.when(mqttClientConfiguration._auth_truststore_password()).thenReturn(str4);
        return mqttClientConfiguration;
    }

    MqttClientConfiguration makeSslPemConfig(String str, String str2, String str3, String str4) {
        MqttClientConfiguration mqttClientConfiguration = (MqttClientConfiguration) Mockito.mock(MqttClientConfiguration.class);
        Mockito.when(mqttClientConfiguration.auth_clientcert_path()).thenReturn(str);
        Mockito.when(mqttClientConfiguration.auth_clientcert_key()).thenReturn(str2);
        Mockito.when(mqttClientConfiguration._auth_clientcert_key_password()).thenReturn(str3);
        Mockito.when(mqttClientConfiguration.auth_clientcert_ca_path()).thenReturn(str4);
        return mqttClientConfiguration;
    }

    MqttClientHandler setupHandler(MqttClientConfiguration mqttClientConfiguration, String str, String... strArr) throws Exception {
        MqttClientHandler mqttClientHandler = new MqttClientHandler();
        Mockito.when(mqttClientConfiguration.id()).thenReturn(str);
        Mockito.when(mqttClientConfiguration.host()).thenReturn("localhost");
        Mockito.when(Integer.valueOf(mqttClientConfiguration.port())).thenReturn(2183);
        Mockito.when(mqttClientConfiguration.topics()).thenReturn(strArr);
        mqttClientHandler.activate(mqttClientConfiguration);
        return mqttClientHandler;
    }

    @Test
    void testMqttConnect() throws Exception {
        ArrayBlockingQueue arrayBlockingQueue = new ArrayBlockingQueue(32);
        IMqttMessageListener iMqttMessageListener = (str, str2, iMqttMessage) -> {
            Assertions.assertEquals(str, iMqttMessage.getHandlerId());
            arrayBlockingQueue.add(iMqttMessage);
        };
        this.handlers.add(setupHandler(makeSslKeystoreConfig(CLIENT_CERT_P12, CLIENT_CERT_PASS, TRUST_CERT_P12, "secret"), "id-auth-ssl", "sensinact/mqtt/test"));
        Iterator<MqttClientHandler> it = this.handlers.iterator();
        while (it.hasNext()) {
            it.next().addListener(iMqttMessageListener, Map.of("sensinact.mqtt.topics.filters", new String[]{"sensinact/mqtt/test"}));
        }
        this.client.publish("sensinact/mqtt/test", "HandlerID".getBytes(StandardCharsets.UTF_8), 1, false);
        IMqttMessage iMqttMessage2 = (IMqttMessage) arrayBlockingQueue.poll(1L, TimeUnit.SECONDS);
        Assertions.assertNotNull(iMqttMessage2);
        Assertions.assertEquals(0, arrayBlockingQueue.size());
        Assertions.assertEquals("id-auth-ssl", iMqttMessage2.getHandlerId());
        Assertions.assertEquals("sensinact/mqtt/test", iMqttMessage2.getTopic());
        Assertions.assertEquals("HandlerID", new String(iMqttMessage2.getPayload(), StandardCharsets.UTF_8));
    }

    @Test
    void testMqttRejectUnsigned() throws Exception {
        Iterator it = List.of(CLIENT_CERT_UNSIGNED_P12, CLIENT_CERT_UNSIGNED_WITH_CA_P12).iterator();
        while (it.hasNext()) {
            MqttClientConfiguration makeSslKeystoreConfig = makeSslKeystoreConfig((String) it.next(), CLIENT_CERT_PASS, TRUST_CERT_P12, "secret");
            Assertions.assertInstanceOf(SSLHandshakeException.class, Assertions.assertThrows(MqttException.class, () -> {
                setupHandler(makeSslKeystoreConfig, "id-auth-ssl", "sensinact/mqtt/test");
            }).getCause());
        }
    }

    @Test
    void testMqttConnectPem() throws Exception {
        ArrayBlockingQueue arrayBlockingQueue = new ArrayBlockingQueue(32);
        IMqttMessageListener iMqttMessageListener = (str, str2, iMqttMessage) -> {
            Assertions.assertEquals(str, iMqttMessage.getHandlerId());
            arrayBlockingQueue.add(iMqttMessage);
        };
        this.handlers.add(setupHandler(makeSslPemConfig(CLIENT_CERT_PEM, CLIENT_CERT_KEY_PEM, CLIENT_CERT_PASS, TRUST_CERT_PEM), "id-auth-ssl", "sensinact/mqtt/test"));
        Iterator<MqttClientHandler> it = this.handlers.iterator();
        while (it.hasNext()) {
            it.next().addListener(iMqttMessageListener, Map.of("sensinact.mqtt.topics.filters", new String[]{"sensinact/mqtt/test"}));
        }
        this.client.publish("sensinact/mqtt/test", "HandlerID".getBytes(StandardCharsets.UTF_8), 1, false);
        IMqttMessage iMqttMessage2 = (IMqttMessage) arrayBlockingQueue.poll(1L, TimeUnit.SECONDS);
        Assertions.assertNotNull(iMqttMessage2);
        Assertions.assertEquals(0, arrayBlockingQueue.size());
        Assertions.assertEquals("id-auth-ssl", iMqttMessage2.getHandlerId());
        Assertions.assertEquals("sensinact/mqtt/test", iMqttMessage2.getTopic());
        Assertions.assertEquals("HandlerID", new String(iMqttMessage2.getPayload(), StandardCharsets.UTF_8));
    }
}
