package org.bouncycastle.mail.smime.test;

import java.io.ByteArrayInputStream;
import java.security.KeyPair;
import java.security.Security;
import java.security.cert.CertPath;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.TimeZone;
import javax.mail.Authenticator;
import javax.mail.Message;
import javax.mail.Session;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeBodyPart;
import javax.mail.internet.MimeMessage;
import javax.mail.internet.MimeMultipart;
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
import junit.textui.TestRunner;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
import org.bouncycastle.i18n.ErrorBundle;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.mail.smime.SMIMESignedGenerator;
import org.bouncycastle.mail.smime.validator.SignedMailValidator;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.x509.PKIXCertPathReviewer;

/* loaded from: input_file:org/bouncycastle/mail/smime/test/SignedMailValidatorTest.class */
public class SignedMailValidatorTest extends TestCase {
    static String TEST_TRUST_ACHOR = "validator.root.crt";
    static byte[] multiEmailCert = Base64.decode("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdmVENDQkdXZ0F3SUJBZ0lCR2pBTkJna3Foa2lHOXcwQkFRc0ZBRENCdnpFTE1Ba0dBMVVFQmhNQ1EwZ3gKQ3pBSkJnTlZCQWdUQWxwSU1ROHdEUVlEVlFRSEV3WmFkWEpwWTJneEZ6QVZCZ05WQkFvVERsQnlhWFpoVTNCbwpaWEpsSUVGSE1SNHdIQVlEVlFRTERCVkVaWFpsYkc5d2JXVnVkQ0FtSUZSbGMzUnBibWN4TkRBeUJnTlZCQU1NCksxQnlhWFpoVTNCb1pYSmxJRWx1ZEdWeWJXVmthV0Z5ZVNCRFpYSjBhV1pwWTJGMFpTQmJWRVZUVkYweEl6QWgKQmdrcWhraUc5dzBCQ1FFV0ZHbHVabTlBY0hKcGRtRnpjR2hsY21VdVkyOXRNQjRYRFRFM01EWXlPREE0TkRjdwpNRm9YRFRNM01EWXlPREE0TkRjd01Gb3dnZDB4Q3pBSkJnTlZCQVlUQWtOSU1Rc3dDUVlEVlFRSUV3SmFTREVQCk1BMEdBMVVFQnhNR1duVnlhV05vTVJjd0ZRWURWUVFLRXc1UWNtbDJZVk53YUdWeVpTQkJSekVlTUJ3R0ExVUUKQ3d3VlJHVjJaV3h2Y0cxbGJuUWdKaUJVWlhOMGFXNW5NVGd3TmdZSktvWklodmNOQVFrQkZpbGtiMjFoYVc0dApZMjl1Wm1sa1pXNTBhV0ZzYVhSNUxXRjFkR2h2Y21sMGVVQmlaV3RpTG1Ob0lERTlNRHNHQ1NxR1NJYjNEUUVKCkFSWXVaRzl0WVdsdUxXTnZibVpwWkdWdWRHbGhiR2wwZVMxaGRYUm9iM0pwZEhsQVptRnRhV3g1TFc1bGRDNWoKYURDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTWJmNEh2a0lYUHpta1BTR09JbApxZ0FhdWlOYVVNdGNPSFlvWnBrS2dtekVsdk4xNnk5enYyZUNkdThnTGNaT3FXT2ZNNmkzY0Z6T1N0bEIxL2lDClM4Vks2ekJmRUgrcDlBbFBCaFVKMDBrbjRESVNXSmRiV25pWXM2clo2cWtpTjZiaHV6V3k5YTVsZkM0c3Q2UisKN0lVcWJwaGxQSUU5OEhJbmQxV01ieTZKYWV0WHNZbW5Sb1Mxd29Fblg5U1BDdXBSK1dzbmtOemtRTFFhMGJYaApVZ3ZmR0ZhVTJwWXBLdXdvN3BsdHBZQzJjVENtVmFJR05rVmJWVGFsYktub0VoNVgrelRqU2oxSWJLaVdIVmNMCjJGTkxoS1hBS1loRGNXd2llVVd0S281T2JrWTZWRzVjdnU0OVozc1llUkkzNnZwY0NNTklvRzFJWlQ1bnhhVmYKKzlaRTM0WllOV3Y4RHZXOFdHZzc4RmkxS1dzanlCajN0SDk3Q3lIZnRsdFl3U3REVXllaGZHUytpaTBteUVWSwpzQ1BiQmwvOU82VHhISWZNRDVuTjlGeFZSZENrdTM5U1hmK29RK3pNdEE0eEtyc3JLVm9RUGZvNDhYaW5HMStICmxZWW1HL01SYTkzZHFCd1ovZEUrRnZLZ2hmU003bVRPTEhPa0YxL0RzQnRJb0s4YmMrRDBIVHhZbWlsbFRjVm0KbFkrVnArRHdtdStRVXlvOFU5UmU3Q0ZOOGs5RlVtc2hORTcyRDkvNytMNmI0Smt0ZTQvdXlzOGVIYnVoRXBnNQphTVMySHRjSkRJL25LbEE2TjFWZjVxaVlaVnIrUkRPZmxmS3ZHdnVGcFFMcjhWUUFONFUzalhOaVVIRGI2ek9rCms5UWdpV2REWDJrTFRTeldubnI5ZDFYTkFnTUJBQUdqWkRCaU1Bd0dBMVVkRXdFQi93UUNNQUF3Q3dZRFZSMFAKQkFRREFnYkFNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01FTUJFR0NXQ0dTQUdHK0VJQkFRUUVBd0lGSURBZApCZ2xnaGtnQmh2aENBUTBFRUJZT1VISnBkbUZUY0dobGNtVWdRMEV3RFFZSktvWklodmNOQVFFTEJRQURnZ0lCCkFONjF2Sy9taFhCc3NHZEpxTGszVjBOK3BJOFRRc3psRU5pbzJTQ25kSTZyejhRRzFnUVBRZjRIaCtIZUNpWFYKNVlIcHAxMjdZVXlRY1hiK3JYc3lSQXM0SWd6TWZyK3dmTWY5NVdianQ1QWRVR21XdFdwV2pkajBoYmlROGJmMwprU3Y4TnR6ZVhKTHBOYS9YK0NRYy9vRm1qeHZ1ZDJXczVzZG1SUno2VUlKVFJoT2t4SFErTVlqL1NlTFFIQWU3CkQzaFV5NE9iVnlBU3VLaHpHMnExYm9mSnBKZHByZVNSMll2a2JQRW9FRlZSd2NQTXNPMFdGRmpCSGlHbVlnaTEKd21qTnlzak8wZ0lwNnpMUzNSSUErd1llRHJVVnEzSnRya0RJZnZkL2tST2UvcUFlcDB3THRReGFoSEFOSk80UAo5ZmxtV1F6bENMRlFoTUZibFl2Nis1NVVDeDhvRkVJTmUvaWF1VUlZME54WXZWclBMREwwVFhSR3grdVFsVVJaCkZiSUpBYzBTUW1SWXlHVkdnb1pUbVhHd0FjemNLWk5XZzd6NTk5TXBidW13ejJZT2RTekRncjV0MHpGQUhDRG8KanRuUnRudVRYMkxvK1UwaWF6RlZhNVYrbDVsQjNIdFpXOWJkKy9ZSVo5K3YyZWpOS3M4UzZjQW1DRkFmVWpkUgpvWEJQUVdPTmx6MjdGOXc3ajc5dmlNUHVES0ZtOU9LdmhQdVQvdWVaOGJCNmRYMlh3aTNwRTM1dWdRK05NT1crCnFUSkZSNDhyVzFvRkYxNTdxNXFzU2ovK3lqQlZpejRLYWlDakVKRDR4RE1UNzAzQytsTGZyamk3KzR2Z3ZIV0IKbHNCVS9jWkVoeFduVjJQaHRsR3g2M2s2OThYeU03eWFCcDUvdHZuL2xSY0cKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=");

    public void testShortKey() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.shortKey.eml", createDefaultParams());
        assertTrue(doTest.isValidSignature());
        assertContainsMessage(doTest.getNotifications(), "SignedMailValidator.shortSigningKey", "Warning: The signing key is only 512 bits long.");
    }

    public void testKeyUsage() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.keyUsage.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertTrue(doTest.getCertPathReview().isValidCertPath());
        assertFalse(doTest.isValidSignature());
        assertContainsMessage(doTest.getErrors(), "SignedMailValidator.signingNotPermitted", "The key usage extension of signer certificate does not permit using the key for email signatures.");
    }

    public void testMultiEmail() throws Exception {
        Set emailAddresses = SignedMailValidator.getEmailAddresses((X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(multiEmailCert)));
        assertTrue(emailAddresses.contains("domain-confidentiality-authority@family-net.ch"));
        assertTrue(emailAddresses.contains("domain-confidentiality-authority@bekb.ch "));
    }

    public void testExtKeyUsage() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.extKeyUsage.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertTrue(doTest.getCertPathReview().isValidCertPath());
        assertFalse(doTest.isValidSignature());
        assertContainsMessage(doTest.getErrors(), "SignedMailValidator.extKeyUsageNotPermitted", "The extended key usage extension of the signer certificate does not permit using the key for email signatures.");
    }

    public void testNoEmail() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.noEmail.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertTrue(doTest.getCertPathReview().isValidCertPath());
        assertFalse(doTest.isValidSignature());
        assertContainsMessage(doTest.getErrors(), "SignedMailValidator.noEmailInCert", "The signer certificate is not usable for email signatures: it contains no email address.");
    }

    public void testNotYetValid() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.notYetValid.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertFalse(doTest.isValidSignature());
        assertContainsMessage(doTest.getErrors(), "SignedMailValidator.certNotYetValid", "The message was signed at Aug 28, 2006 3:04:01 PM GMT. But the certificate is not valid before Dec 28, 2006 2:19:31 PM GMT.");
        PKIXCertPathReviewer certPathReview = doTest.getCertPathReview();
        assertFalse(certPathReview.isValidCertPath());
        assertContainsMessage(certPathReview.getErrors(0), "CertPathReviewer.certificateNotYetValid", "Could not validate the certificate. Certificate is not valid until Dec 28, 2006 2:19:31 PM GMT.");
    }

    public void testExpired() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.expired.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertFalse(doTest.isValidSignature());
        assertContainsMessage(doTest.getErrors(), "SignedMailValidator.certExpired", "The message was signed at Sep 1, 2006 9:08:35 AM GMT. But the certificate expired at Sep 1, 2006 8:39:20 AM GMT.");
        PKIXCertPathReviewer certPathReview = doTest.getCertPathReview();
        assertFalse(certPathReview.isValidCertPath());
        assertContainsMessage(certPathReview.getErrors(0), "CertPathReviewer.certificateExpired", "Could not validate the certificate. Certificate expired on Sep 1, 2006 8:39:20 AM GMT.");
    }

    public void testRevoked() throws Exception {
        PKIXParameters createDefaultParams = createDefaultParams();
        ArrayList arrayList = new ArrayList();
        arrayList.add(loadCRL("validator.revoked.crl"));
        createDefaultParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList)));
        createDefaultParams.setRevocationEnabled(true);
        SignedMailValidator.ValidationResult doTest = doTest("validator.revoked.eml", createDefaultParams);
        assertTrue(doTest.isVerifiedSignature());
        assertFalse(doTest.isValidSignature());
        PKIXCertPathReviewer certPathReview = doTest.getCertPathReview();
        assertFalse(certPathReview.isValidCertPath());
        assertContainsMessage(certPathReview.getErrors(0), "CertPathReviewer.certRevoked", "The certificate was revoked at Sep 1, 2006 9:30:00 AM GMT. Reason: Key Compromise.");
    }

    public void testLongValidity() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("validator.longValidity.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertTrue(doTest.isValidSignature());
        assertContainsMessage(doTest.getNotifications(), "SignedMailValidator.longValidity", "Warning: The signing certificate has a very long validity period: from Sep 1, 2006 11:00:00 AM GMT until Aug 8, 2106 11:00:00 AM GMT.");
    }

    public void testSelfSignedCert() throws Exception {
        MimeBodyPart makeMimeBodyPart = SMIMETestUtil.makeMimeBodyPart("Hello world!\n");
        KeyPair makeKeyPair = CMSTestUtil.makeKeyPair();
        X509Certificate makeV1Certificate = CMSTestUtil.makeV1Certificate(makeKeyPair, "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU", makeKeyPair, "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU");
        HashSet hashSet = new HashSet();
        TrustAnchor trustAnchor = new TrustAnchor(makeV1Certificate, null);
        hashSet.add(trustAnchor);
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(trustedCert);
        arrayList.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList2)));
        assertTrue("path size is not 1", SignedMailValidator.createCertPath(trustedCert, hashSet, arrayList).getCertificates().size() == 1);
        ArrayList arrayList3 = new ArrayList();
        arrayList3.add(makeV1Certificate);
        JcaCertStore jcaCertStore = new JcaCertStore(arrayList3);
        SMIMESignedGenerator sMIMESignedGenerator = new SMIMESignedGenerator();
        sMIMESignedGenerator.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC").build("SHA1withRSA", makeKeyPair.getPrivate(), makeV1Certificate));
        sMIMESignedGenerator.addCertificates(jcaCertStore);
        MimeMultipart generate = sMIMESignedGenerator.generate(makeMimeBodyPart);
        MimeMessage mimeMessage = new MimeMessage(Session.getDefaultInstance(System.getProperties(), (Authenticator) null));
        InternetAddress internetAddress = new InternetAddress("\"Eric H. Echidna\"<eric@bouncycastle.org>");
        InternetAddress internetAddress2 = new InternetAddress("example@bouncycastle.org");
        mimeMessage.setFrom(internetAddress);
        mimeMessage.setRecipient(Message.RecipientType.TO, internetAddress2);
        mimeMessage.setContent(generate, generate.getContentType());
        mimeMessage.saveChanges();
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        SignedMailValidator signedMailValidator = new SignedMailValidator(mimeMessage, pKIXParameters);
        assertTrue(signedMailValidator.getValidationResult((SignerInformation) signedMailValidator.getSignerInformationStore().getSigners().iterator().next()).isValidSignature());
    }

    public void testCircular() throws Exception {
        SignedMailValidator.ValidationResult doTest = doTest("circular.eml", createDefaultParams());
        assertTrue(doTest.isVerifiedSignature());
        assertFalse(doTest.isValidSignature());
        assertFalse(doTest.getCertPathReview().isValidCertPath());
        assertTrue("cert path size", doTest.getCertPathReview().getCertPathSize() > 2);
    }

    public void testExtendedReviewer() throws Exception {
        try {
            new SignedMailValidator(new MimeMessage(Session.getDefaultInstance(System.getProperties(), (Authenticator) null), getClass().getResourceAsStream("validator.shortKey.eml")), createDefaultParams(), String.class);
            fail();
        } catch (IllegalArgumentException e) {
            assertTrue(e.getMessage().startsWith("certPathReviewerClass is not a subclass of"));
        }
        SignedMailValidator signedMailValidator = new SignedMailValidator(new MimeMessage(Session.getDefaultInstance(System.getProperties(), (Authenticator) null), getClass().getResourceAsStream("validator.shortKey.eml")), createDefaultParams(), DummyCertPathReviewer.class);
        SignedMailValidator.ValidationResult validationResult = signedMailValidator.getValidationResult((SignerInformation) signedMailValidator.getSignerInformationStore().getSigners().iterator().next());
        assertTrue(validationResult.isValidSignature());
        assertContainsMessage(validationResult.getNotifications(), "SignedMailValidator.shortSigningKey", "Warning: The signing key is only 512 bits long.");
    }

    public void testCreateCertPath() throws Exception {
        HashSet hashSet = new HashSet();
        TrustAnchor trustAnchor = getTrustAnchor("certpath_root.crt");
        hashSet.add(trustAnchor);
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        X509Certificate loadCert = loadCert("certpath_inter1.crt");
        X509Certificate loadCert2 = loadCert("certpath_inter2.crt");
        X509Certificate loadCert3 = loadCert("certpath_end1.crt");
        X509Certificate loadCert4 = loadCert("certpath_end2.crt");
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(loadCert);
        arrayList2.add(loadCert2);
        arrayList.add(CertStore.getInstance("Collection", new CollectionCertStoreParameters(arrayList2)));
        CertPath createCertPath = SignedMailValidator.createCertPath(loadCert3, hashSet, arrayList);
        assertTrue("path size is not 3", createCertPath.getCertificates().size() == 3);
        assertEquals("different end certificate", createCertPath.getCertificates().get(0), loadCert3);
        assertEquals("different intermediate certificate", createCertPath.getCertificates().get(1), loadCert);
        assertEquals("different root certificate", createCertPath.getCertificates().get(2), trustedCert);
        CertPath createCertPath2 = SignedMailValidator.createCertPath(loadCert4, hashSet, arrayList);
        assertTrue("path size is not 3", createCertPath2.getCertificates().size() == 3);
        assertEquals("different end certificate", createCertPath2.getCertificates().get(0), loadCert4);
        assertEquals("different intermediate certificate", createCertPath2.getCertificates().get(1), loadCert2);
        assertEquals("different root certificate", createCertPath2.getCertificates().get(2), trustedCert);
    }

    private SignedMailValidator.ValidationResult doTest(String str, PKIXParameters pKIXParameters) throws Exception {
        SignedMailValidator signedMailValidator = new SignedMailValidator(new MimeMessage(Session.getDefaultInstance(System.getProperties(), (Authenticator) null), getClass().getResourceAsStream(str)), pKIXParameters);
        return signedMailValidator.getValidationResult((SignerInformation) signedMailValidator.getSignerInformationStore().getSigners().iterator().next());
    }

    private void assertContainsMessage(List list, String str, String str2) throws Exception {
        Iterator it = list.iterator();
        boolean z = false;
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ErrorBundle errorBundle = (ErrorBundle) it.next();
            if (errorBundle.getId().equals(str)) {
                z = true;
                assertEquals(str2, errorBundle.getText(Locale.ENGLISH, TimeZone.getTimeZone("GMT")).replace("Greenwich Mean Time", "GMT"));
                break;
            }
        }
        assertTrue("Expected message not found!", z);
    }

    private PKIXParameters createDefaultParams() throws Exception {
        HashSet hashSet = new HashSet();
        hashSet.add(getTrustAnchor(TEST_TRUST_ACHOR));
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        return pKIXParameters;
    }

    private TrustAnchor getTrustAnchor(String str) throws Exception {
        X509Certificate loadCert = loadCert(str);
        if (loadCert == null) {
            return null;
        }
        byte[] extensionValue = loadCert.getExtensionValue(Extension.nameConstraints.getId());
        return extensionValue != null ? new TrustAnchor(loadCert, JcaX509ExtensionUtils.parseExtensionValue(extensionValue).toASN1Primitive().getEncoded("DER")) : new TrustAnchor(loadCert, null);
    }

    private X509Certificate loadCert(String str) throws Exception {
        return (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(getClass().getResourceAsStream(str));
    }

    private X509CRL loadCRL(String str) throws Exception {
        return (X509CRL) CertificateFactory.getInstance("x.509", "BC").generateCRL(getClass().getResourceAsStream(str));
    }

    public void setUp() {
        if (Security.getProvider("BC") == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    public static void main(String[] strArr) throws Exception {
        TestRunner.run(suite());
    }

    public static Test suite() throws Exception {
        TestSuite testSuite = new TestSuite("SignedMailValidator Tests");
        testSuite.addTestSuite(SignedMailValidatorTest.class);
        return testSuite;
    }
}
