package org.keycloak;

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.rule.CryptoInitRule;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/RSAVerifierTest.class */
public abstract class RSAVerifierTest {

    @ClassRule
    public static CryptoInitRule cryptoInitRule = new CryptoInitRule();
    private static KeyPair idpPair;
    private static KeyPair badPair;
    private AccessToken token;

    @BeforeClass
    public static void setupCerts() throws Exception {
        badPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        idpPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
    }

    @Before
    public void initTest() {
        this.token = new AccessToken();
        this.token.type("Bearer").subject("CN=Client").issuer("http://localhost:8080/auth/realm").addAccess("service").addRole("admin");
    }

    @Test
    public void testSimpleVerification() throws Exception {
        String rsa256 = new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate());
        System.out.print("encoded size: " + rsa256.length());
        AccessToken verifySkeletonKeyToken = verifySkeletonKeyToken(rsa256);
        Assert.assertTrue(verifySkeletonKeyToken.getResourceAccess("service").getRoles().contains("admin"));
        Assert.assertEquals("CN=Client", verifySkeletonKeyToken.getSubject());
    }

    @Test
    public void testVerificationWithAddedX5cAndJwk() throws Exception {
        KeyPair generateKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
        X509Certificate generateV1SelfSignedCertificate = CertificateUtils.generateV1SelfSignedCertificate(generateKeyPair, "root");
        X509Certificate generateV3Certificate = CertificateUtils.generateV3Certificate(idpPair, generateKeyPair.getPrivate(), generateV1SelfSignedCertificate, "idp");
        JWK rsa = JWKBuilder.create().rsa(idpPair.getPublic());
        String rsa256 = new JWSBuilder().jwk(rsa).x5c(Arrays.asList(generateV3Certificate, generateV1SelfSignedCertificate)).jsonContent(this.token).rsa256(idpPair.getPrivate());
        TokenVerifier create = TokenVerifier.create(rsa256, JsonWebToken.class);
        verifySkeletonKeyToken(rsa256);
        Assert.assertTrue(this.token.getResourceAccess("service").getRoles().contains("admin"));
        Assert.assertEquals("CN=Client", this.token.getSubject());
        List x5c = create.getHeader().getX5c();
        Assert.assertEquals(2L, x5c.size());
        Assert.assertEquals(Base64.encodeBytes(generateV3Certificate.getEncoded()), x5c.get(0));
        Assert.assertEquals(Base64.encodeBytes(generateV1SelfSignedCertificate.getEncoded()), x5c.get(1));
        Assert.assertEquals(JsonSerialization.mapper.convertValue(rsa, Map.class), JsonSerialization.mapper.convertValue(create.getHeader().getKey(), Map.class));
    }

    private AccessToken verifySkeletonKeyToken(String str) throws VerificationException {
        return RSATokenVerifier.verifyToken(str, idpPair.getPublic(), "http://localhost:8080/auth/realm");
    }

    public void testSpeed() throws Exception {
        byte[] writeValueAsBytes = JsonSerialization.writeValueAsBytes(this.token);
        long currentTimeMillis = System.currentTimeMillis();
        for (int i = 0; i < 50000; i++) {
            verifySkeletonKeyToken(new JWSBuilder().content(writeValueAsBytes).rsa256(idpPair.getPrivate()));
        }
        System.out.println("took: " + (System.currentTimeMillis() - currentTimeMillis));
    }

    @Test
    public void testBadSignature() {
        try {
            verifySkeletonKeyToken(new JWSBuilder().jsonContent(this.token).rsa256(badPair.getPrivate()));
            Assert.fail();
        } catch (VerificationException e) {
        }
    }

    @Test
    public void testNotBeforeGood() throws Exception {
        this.token.nbf(Long.valueOf(Time.currentTime() - 100));
        try {
            verifySkeletonKeyToken(new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate()));
        } catch (VerificationException e) {
            throw e;
        }
    }

    @Test
    public void testNotBeforeBad() {
        this.token.nbf(Long.valueOf(Time.currentTime() + 100));
        try {
            verifySkeletonKeyToken(new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate()));
            Assert.fail();
        } catch (VerificationException e) {
            System.out.println(e.getMessage());
        }
    }

    @Test
    public void testExpirationGood() throws Exception {
        this.token.exp(Long.valueOf(Time.currentTime() + 100));
        try {
            verifySkeletonKeyToken(new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate()));
        } catch (VerificationException e) {
            throw e;
        }
    }

    @Test
    public void testExpirationBad() {
        this.token.exp(Long.valueOf(Time.currentTime() - 100));
        try {
            verifySkeletonKeyToken(new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate()));
            Assert.fail();
        } catch (VerificationException e) {
        }
    }

    @Test
    public void testTokenAuth() {
        this.token = new AccessToken();
        this.token.subject("CN=Client").issuer("http://localhost:8080/auth/realms/demo").addAccess("service").addRole("admin").verifyCaller(true);
        this.token.setEmail("bill@jboss.org");
        String rsa256 = new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate());
        System.out.println("token size: " + rsa256.length());
        try {
            verifySkeletonKeyToken(rsa256);
            Assert.fail();
        } catch (VerificationException e) {
        }
    }

    @Test
    public void testAudience() throws Exception {
        this.token.addAudience("my-app");
        this.token.addAudience("your-app");
        String rsa256 = new JWSBuilder().jsonContent(this.token).rsa256(idpPair.getPrivate());
        verifyAudience(rsa256, "my-app");
        verifyAudience(rsa256, "your-app");
        try {
            verifyAudience(rsa256, "other-app");
            Assert.fail();
        } catch (VerificationException e) {
            System.out.println(e.getMessage());
        }
        try {
            verifyAudience(rsa256, null);
            Assert.fail();
        } catch (VerificationException e2) {
            System.out.println(e2.getMessage());
        }
    }

    private void verifyAudience(String str, String str2) throws VerificationException {
        TokenVerifier.create(str, AccessToken.class).publicKey(idpPair.getPublic()).realmUrl("http://localhost:8080/auth/realm").audience(new String[]{str2}).verify();
    }
}
