package org.mule.tests.extensions.fips;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import org.apache.http.util.Asserts;
import org.mule.runtime.extension.api.annotation.param.MediaType;

/* loaded from: input_file:org/mule/tests/extensions/fips/FipsComplianceTestOperations.class */
public class FipsComplianceTestOperations {
    public static final String BCFIPS_PROVIDER_NAME = "BCFIPS";
    public static final String THE_PROVIDER_IS_NOT_BCFIPS_ERROR_MESSAGE = "The provider is not BCFIPS";
    public static final String THE_RSA_FACTORY_IS_NULL_ERROR_MESSAGE = "The RSA factory is null";
    public static final String RSA_KEYSTORE_FACTORY_TYPE = "RSA";
    public static final String EC_KEYSTORE_FACTORY_TYPE = "EC";
    public static final String THE_EC_PROVIDER_IS_NULL_ERROR_MESSAGE = "The EC provider is null";
    public static final String SECP_384_R_1_SPEC = "secp384r1";
    public static final String SECP_256_R_1_SPEC = "secp256r1";
    public static final String FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE = "Failed to generate key pair";
    public static final String JDK_TLS_DISABLED_ALGORITHMS_PROP = "jdk.tls.disabledAlgorithms";
    public static final String DISABLE_SUITES_TEMPLATE_ERROR_MESSAGE = "Disabled cipher suite %s is not honored in %s ";
    public static final String X_509_CERTIFICATE_FACTORY = "X.509";
    public static final String THE_FACTORY_IS_NULL_ERROR_MESSAGE = "The factory is null";
    public static final String PROVIDER_ERROR_TEMPLATE_MESSAGE = "The provider is not SUN for the x509 certificate. It is %s";
    public static final String DEFAULT_ALGORITH = "DEFAULT";
    public static final String NONCEANDIV_ALGORITHM = "NONCEANDIV";
    public static final String EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE = "Expected to generate symmetric key";
    public static final String AES_CIPHER_ALGORITH = "AES/GCM/NoPadding";
    public static final String AES_ALGORITH_KEY_GENERATOR_NAME = "AES";
    public static final String SHA_384 = "SHA-384";
    public static final String SHA_512 = "SHA-512";
    public static final String SHA_3_256 = "SHA3-256";
    public static final String SHA_3_384 = "SHA3-384";
    public static final String SHA_3_512 = "SHA3-512";
    public static final String SHA_256 = "SHA-256";
    public static final String RSA_NONE_OAEPWITH_SHA_1_AND_MGF_1_PADDING = "RSA/NONE/OAEPwithSHA1andMGF1Padding";
    public static final String RSA_NONE_OAEPWITH_SHA_256_AND_MGF_1_PADDING = "RSA/NONE/OAEPwithSHA256andMGF1Padding";
    public static final String TESTING_KEY_WRAP_MODE_FOR_CIPHER_ERROR_MESSAGE = "Testing key wrap mode for cipher ";

    @MediaType(value = "*/*", strict = false)
    public String testKeyGenerator(String str, int i) throws NoSuchAlgorithmException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(str);
        keyGenerator.init(i);
        SecretKey generateKey = keyGenerator.generateKey();
        Asserts.check(generateKey != null && generateKey.getEncoded().length == i / 8, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        Asserts.check(keyGenerator.getProvider().getName().equals(BCFIPS_PROVIDER_NAME), "Expected fips provider but was " + keyGenerator.getProvider());
        keyGenerator.init(i, new SecureRandom());
        SecretKey generateKey2 = keyGenerator.generateKey();
        Asserts.check(generateKey2 != null && generateKey2.getEncoded().length == i / 8, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        keyGenerator.init(i, SecureRandom.getInstance(DEFAULT_ALGORITH));
        SecretKey generateKey3 = keyGenerator.generateKey();
        Asserts.check(generateKey3 != null && generateKey3.getEncoded().length == i / 8, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        keyGenerator.init(i, SecureRandom.getInstance(NONCEANDIV_ALGORITHM));
        SecretKey generateKey4 = keyGenerator.generateKey();
        Asserts.check(generateKey4 != null && generateKey4.getEncoded().length == i / 8, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        keyGenerator.init(i, SecureRandom.getInstance(DEFAULT_ALGORITH));
        SecretKey generateKey5 = keyGenerator.generateKey();
        Asserts.check(generateKey5 != null && generateKey5.getEncoded().length == i / 8, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testProviderKeyGenerator(String str, String str2) throws Exception {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(str, str2);
        keyGenerator.init(128, new SecureRandom());
        SecretKey generateKey = keyGenerator.generateKey();
        Asserts.check(generateKey != null && generateKey.getEncoded().length == 16, EXPECTED_TO_GENERATE_SYMMETRIC_KEY_ERROR_MESSAGE);
        Asserts.check(Objects.equals(keyGenerator.getProvider().getName(), BCFIPS_PROVIDER_NAME), "Expected fips provider but was " + keyGenerator.getProvider());
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testAES() throws Exception {
        Cipher cipher = Cipher.getInstance(AES_CIPHER_ALGORITH);
        FipsComplianceTestUtils.assertFipsProvider(cipher.getProvider());
        KeyGenerator keyGenerator = KeyGenerator.getInstance(AES_ALGORITH_KEY_GENERATOR_NAME);
        keyGenerator.init(256);
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        cipher.init(1, keyGenerator.generateKey(), new GCMParameterSpec(96, bArr));
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testCertificateFactory() throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance(X_509_CERTIFICATE_FACTORY);
        Asserts.check(certificateFactory != null, THE_FACTORY_IS_NULL_ERROR_MESSAGE);
        Asserts.check(BCFIPS_PROVIDER_NAME.equals(certificateFactory.getProvider().getName()), String.format(PROVIDER_ERROR_TEMPLATE_MESSAGE, certificateFactory.getProvider().getName()));
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testCipherSuiteDisabled() throws Exception {
        String[] strArr = {"TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384"};
        String property = System.getProperty(JDK_TLS_DISABLED_ALGORITHMS_PROP);
        try {
            Security.setProperty(JDK_TLS_DISABLED_ALGORITHMS_PROP, "SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, MD5, DSA, RSA keySize < 2048, DES40_CBC, RC4_40, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384");
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
            Asserts.check(sSLContext != null, "Expected to load SSL Context in FIPS mode");
            sSLContext.init(new KeyManager[0], new TrustManager[0], new SecureRandom());
            SSLContext sSLContext2 = SSLContext.getInstance("TLSv1.2");
            sSLContext2.init(new KeyManager[0], new TrustManager[0], null);
            SSLSocket sSLSocket = (SSLSocket) sSLContext2.getSocketFactory().createSocket();
            HashSet hashSet = new HashSet();
            Collections.addAll(hashSet, sSLSocket.getEnabledCipherSuites());
            for (String str : strArr) {
                if (hashSet.contains(str)) {
                    throw new IllegalStateException(String.format(DISABLE_SUITES_TEMPLATE_ERROR_MESSAGE, str, hashSet));
                }
            }
            return FipsComplianceTestUtils.ALL_TESTS_PASSED;
        } finally {
            if (property != null) {
                Security.setProperty(JDK_TLS_DISABLED_ALGORITHMS_PROP, property);
            } else {
                Security.setProperty(JDK_TLS_DISABLED_ALGORITHMS_PROP, "");
            }
        }
    }

    @MediaType(value = "*/*", strict = false)
    public String testEc() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(EC_KEYSTORE_FACTORY_TYPE);
        keyPairGenerator.initialize(new ECGenParameterSpec(SECP_384_R_1_SPEC), SecureRandom.getInstance(DEFAULT_ALGORITH));
        Asserts.check(keyPairGenerator.generateKeyPair() != null, FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE);
        keyPairGenerator.initialize(new ECGenParameterSpec(SECP_384_R_1_SPEC));
        Asserts.check(keyPairGenerator.generateKeyPair() != null, FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE);
        keyPairGenerator.initialize(new ECGenParameterSpec(SECP_256_R_1_SPEC), new SecureRandom());
        Asserts.check(keyPairGenerator.generateKeyPair() != null, FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE);
        FipsComplianceTestUtils.assertFipsProvider(keyPairGenerator.getProvider());
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testRsaKeyFactory() throws Exception {
        KeyFactory keyFactory = KeyFactory.getInstance(RSA_KEYSTORE_FACTORY_TYPE);
        Asserts.check(keyFactory != null, THE_RSA_FACTORY_IS_NULL_ERROR_MESSAGE);
        Asserts.check(BCFIPS_PROVIDER_NAME.equals(keyFactory.getProvider().getName()), THE_PROVIDER_IS_NOT_BCFIPS_ERROR_MESSAGE);
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testEcKeyFactory() throws Exception {
        KeyFactory keyFactory = KeyFactory.getInstance(EC_KEYSTORE_FACTORY_TYPE);
        Asserts.check(keyFactory != null, THE_EC_PROVIDER_IS_NULL_ERROR_MESSAGE);
        Asserts.check(BCFIPS_PROVIDER_NAME.equals(keyFactory.getProvider().getName()), THE_PROVIDER_IS_NOT_BCFIPS_ERROR_MESSAGE);
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testKeyStore() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("BCFKS");
        FipsComplianceTestUtils.assertFipsProvider(keyStore.getProvider());
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        char[] charArray = Base64.getEncoder().encodeToString(bArr).toCharArray();
        KeyGenerator keyGenerator = KeyGenerator.getInstance(AES_ALGORITH_KEY_GENERATOR_NAME);
        keyGenerator.init(256);
        SecretKey generateKey = keyGenerator.generateKey();
        keyStore.load(null, null);
        keyStore.setEntry("somealias", new KeyStore.SecretKeyEntry(generateKey), new KeyStore.PasswordProtection(charArray));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(1024);
        keyStore.store(byteArrayOutputStream, charArray);
        KeyStore keyStore2 = KeyStore.getInstance("BCFKS");
        keyStore2.load(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()), charArray);
        FipsComplianceTestUtils.assertFipsProvider(keyStore2.getProvider());
        Asserts.check(Arrays.equals(generateKey.getEncoded(), keyStore2.getKey("somealias", charArray).getEncoded()), "Keys are not the same between save and read");
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testMac() throws Exception {
        FipsComplianceTestUtils.assertFipsProvider(Mac.getInstance("HMACSHA256").getProvider());
        FipsComplianceTestUtils.assertFipsProvider(Mac.getInstance("HMACSHA384").getProvider());
        FipsComplianceTestUtils.assertFipsProvider(Mac.getInstance("HMACSHA512").getProvider());
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testMessageDigest() throws Exception {
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_256).getProvider());
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_384).getProvider());
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_512).getProvider());
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_3_256).getProvider());
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_3_384).getProvider());
        FipsComplianceTestUtils.assertFipsProvider(MessageDigest.getInstance(SHA_3_512).getProvider());
        return FipsComplianceTestUtils.ALL_TESTS_PASSED;
    }

    @MediaType(value = "*/*", strict = false)
    public String testPasswordInput() throws Exception {
        try {
            KeyStore.getInstance("PKI-PLAIN").load(null, "blah".toCharArray());
            throw new RuntimeException("Invalid password input should fail");
        } catch (IllegalArgumentException e) {
            return FipsComplianceTestUtils.ALL_TESTS_PASSED;
        }
    }

    @MediaType(value = "*/*", strict = false)
    public String testRSA() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA_KEYSTORE_FACTORY_TYPE);
        keyPairGenerator.initialize(2048, SecureRandom.getInstance(DEFAULT_ALGORITH));
        Asserts.check(keyPairGenerator.generateKeyPair() != null, FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE);
        FipsComplianceTestUtils.assertFipsProvider(keyPairGenerator.getProvider());
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        Asserts.check(generateKeyPair != null, FAILED_TO_GENERATE_KEY_PAIR_ERROR_MESSAGE);
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        Signature signature = Signature.getInstance("SHA256WithRSA");
        signature.initSign(generateKeyPair.getPrivate());
        signature.update(bArr);
        signature.sign();
        for (String str : new String[]{RSA_NONE_OAEPWITH_SHA_1_AND_MGF_1_PADDING, RSA_NONE_OAEPWITH_SHA_256_AND_MGF_1_PADDING}) {
            Cipher cipher = Cipher.getInstance(str);
            cipher.init(3, generateKeyPair.getPublic());
            cipher.wrap(new SecretKeySpec(bArr, AES_ALGORITH_KEY_GENERATOR_NAME));
        }
        try {
            keyPairGenerator.initialize(512);
            keyPairGenerator.generateKeyPair();
            return FipsComplianceTestUtils.ALL_TESTS_PASSED;
        } catch (Error e) {
            if (e.getMessage().contains("unapproved")) {
                return FipsComplianceTestUtils.ALL_TESTS_PASSED;
            }
            throw new IllegalStateException(e);
        }
    }
}
