package org.forgerock.opendj.security;

import java.security.Key;
import javax.crypto.spec.SecretKeySpec;
import org.assertj.core.api.Assertions;
import org.forgerock.opendj.ldap.ByteSequence;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ByteStringBuilder;
import org.forgerock.opendj.ldap.SdkTestCase;
import org.forgerock.util.Options;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

/* loaded from: input_file:org/forgerock/opendj/security/KeyProtectorTest.class */
public class KeyProtectorTest extends SdkTestCase {
    private static final ByteString PLAIN_KEY_NEEDS_PADDING = ByteString.valueOfUtf8("123456781234");
    private static final ByteString PLAIN_KEY = ByteString.valueOfUtf8("1234567812345678");
    private static final char[] KEYSTORE_PASSWORD = "keystore password".toCharArray();
    private static final char[] KEY_PASSWORD = "key password".toCharArray();
    private static final char[] BAD_PASSWORD = "bad password".toCharArray();
    private static final ExternalKeyWrappingStrategy TEST_STRATEGY = new ExternalKeyWrappingStrategy() { // from class: org.forgerock.opendj.security.KeyProtectorTest.1
        public ByteSequence wrapKey(ByteSequence byteSequence) throws LocalizedKeyStoreException {
            return ByteString.valueOfUtf8(byteSequence.toBase64String());
        }

        public ByteSequence unwrapKey(ByteSequence byteSequence) throws LocalizedKeyStoreException {
            return ByteString.valueOfBase64(byteSequence.toString());
        }
    };

    @BeforeClass
    public void sanityCheckTestFramework() throws Exception {
        Assertions.assertThat(encodedKeyIsEncrypted(PLAIN_KEY)).isFalse();
        Assertions.assertThat(encodedKeyIsEncrypted(new ByteStringBuilder().appendBytes(PLAIN_KEY).appendUtf8("tail").toByteString())).isFalse();
        Assertions.assertThat(encodedKeyIsEncrypted(new ByteStringBuilder().appendUtf8("head").appendBytes(PLAIN_KEY).toByteString())).isFalse();
        Assertions.assertThat(encodedKeyIsEncrypted(new ByteStringBuilder().appendUtf8("head").appendBytes(PLAIN_KEY).appendUtf8("tail").toByteString())).isFalse();
        Assertions.assertThat(encodedKeyIsEncrypted(ByteString.valueOfUtf8("different"))).isTrue();
    }

    @Test
    public void shouldEncodeAndDecodeWithNoProtection() throws Exception {
        KeyProtector keyProtector = new KeyProtector(Options.defaultOptions());
        ByteString encodeKey = keyProtector.encodeKey(secretKey(PLAIN_KEY), (char[]) null);
        Assertions.assertThat(encodeKey).isNotEqualTo(PLAIN_KEY);
        Assertions.assertThat(encodedKeyIsEncrypted(encodeKey)).isFalse();
        Assertions.assertThat(keyProtector.decodeSecretKey(encodeKey, "RAW", (char[]) null).getEncoded()).isEqualTo(PLAIN_KEY.toByteArray());
    }

    @Test
    public void shouldEncodeAndDecodeWithIndividualPassword() throws Exception {
        shouldEncodeAndDecodeAndBeEncrypted(new KeyProtector(Options.defaultOptions()), KEY_PASSWORD);
    }

    @Test
    public void shouldEncodeAndDecodeWithKeyStorePasswordOnly() throws Exception {
        shouldEncodeAndDecodeAndBeEncrypted(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD), null);
    }

    private static KeyProtector forPasswordProtectedKeyStore(char[] cArr) {
        return new KeyProtector(Options.defaultOptions().set(KeyStoreParameters.GLOBAL_PASSWORD, OpenDJProvider.newClearTextPasswordFactory(cArr)));
    }

    @Test
    public void shouldEncodeAndDecodeWithKeyStorePasswordAndIndividualPassword() throws Exception {
        shouldEncodeAndDecodeAndBeEncrypted(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD), KEY_PASSWORD);
    }

    private static KeyProtector forExternallyProtectedKeyStore() {
        return new KeyProtector(Options.defaultOptions().set(KeyStoreParameters.EXTERNAL_KEY_WRAPPING_STRATEGY, TEST_STRATEGY));
    }

    @Test
    public void shouldEncodeAndDecodeWithExternalMechanismOnly() throws Exception {
        shouldEncodeAndDecodeAndBeEncrypted(forExternallyProtectedKeyStore(), null);
    }

    @Test
    public void shouldEncodeAndDecodeWithExternalMechanismAndIndividualPassword() throws Exception {
        shouldEncodeAndDecodeAndBeEncrypted(forExternallyProtectedKeyStore(), KEY_PASSWORD);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithWrongIndividualPassword() throws Exception {
        forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).decodeSecretKey(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).encodeKey(secretKey(PLAIN_KEY), KEY_PASSWORD), "RAW", BAD_PASSWORD);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithWrongKeyStorePassword() throws Exception {
        forPasswordProtectedKeyStore(BAD_PASSWORD).decodeSecretKey(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).encodeKey(secretKey(PLAIN_KEY), KEY_PASSWORD), "RAW", KEY_PASSWORD);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithMissingKeyStorePassword() throws Exception {
        forPasswordProtectedKeyStore(null).decodeSecretKey(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).encodeKey(secretKey(PLAIN_KEY), KEY_PASSWORD), "RAW", KEY_PASSWORD);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithMissingIndividualPassword() throws Exception {
        forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).decodeSecretKey(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).encodeKey(secretKey(PLAIN_KEY), KEY_PASSWORD), "RAW", (char[]) null);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithMissingPasswords() throws Exception {
        forPasswordProtectedKeyStore(null).decodeSecretKey(forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).encodeKey(secretKey(PLAIN_KEY), KEY_PASSWORD), "RAW", (char[]) null);
    }

    @Test(expectedExceptions = {LocalizedKeyStoreException.class})
    public void shouldFailWhenDecodeWithMalformedEncodedKey() throws Exception {
        forPasswordProtectedKeyStore(KEYSTORE_PASSWORD).decodeSecretKey(ByteString.valueOfUtf8("malformed encoded key"), "RAW", KEY_PASSWORD);
    }

    @Test
    public void shouldEncodeAndDecodeKeysThatNeedPadding() throws Exception {
        KeyProtector forPasswordProtectedKeyStore = forPasswordProtectedKeyStore(KEYSTORE_PASSWORD);
        ByteString encodeKey = forPasswordProtectedKeyStore.encodeKey(secretKey(PLAIN_KEY_NEEDS_PADDING), KEY_PASSWORD);
        Assertions.assertThat(encodeKey).isNotEqualTo(PLAIN_KEY_NEEDS_PADDING);
        Assertions.assertThat(forPasswordProtectedKeyStore.decodeSecretKey(encodeKey, "RAW", KEY_PASSWORD).getEncoded()).isEqualTo(PLAIN_KEY_NEEDS_PADDING.toByteArray());
    }

    @Test
    public void shouldEncodeAndDecodePrivateKeys() throws Exception {
        KeyProtector forPasswordProtectedKeyStore = forPasswordProtectedKeyStore(KEYSTORE_PASSWORD);
        ByteString encodeKey = forPasswordProtectedKeyStore.encodeKey(KeyStoreTestUtils.PRIVATE_KEY, KEY_PASSWORD);
        Assertions.assertThat(encodeKey).isNotEqualTo(ByteString.wrap(KeyStoreTestUtils.PRIVATE_KEY.getEncoded()));
        Assertions.assertThat(forPasswordProtectedKeyStore.decodePrivateKey(encodeKey, "RSA", KEY_PASSWORD).getEncoded()).isEqualTo(KeyStoreTestUtils.PRIVATE_KEY.getEncoded());
    }

    private void shouldEncodeAndDecodeAndBeEncrypted(KeyProtector keyProtector, char[] cArr) throws Exception {
        ByteString encodeKey = keyProtector.encodeKey(secretKey(PLAIN_KEY), cArr);
        Assertions.assertThat(encodeKey).isNotEqualTo(PLAIN_KEY);
        Assertions.assertThat(encodedKeyIsEncrypted(encodeKey)).isTrue();
        Assertions.assertThat(keyProtector.decodeSecretKey(encodeKey, "RAW", cArr).getEncoded()).isEqualTo(PLAIN_KEY.toByteArray());
    }

    private boolean encodedKeyIsEncrypted(ByteString byteString) {
        int length = byteString.length() - PLAIN_KEY.length();
        for (int i = 0; i <= length; i++) {
            if (byteString.subSequence(i, i + PLAIN_KEY.length()).equals(PLAIN_KEY)) {
                return false;
            }
        }
        return true;
    }

    private static Key secretKey(ByteString byteString) {
        return new SecretKeySpec(byteString.toByteArray(), "RAW");
    }
}
