package org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.server.quorum;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.InetSocketAddress;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLServerSocketFactory;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.PortAssignment;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.common.QuorumX509Util;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.common.X509Util;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.server.ServerCnxnFactory;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.server.quorum.QuorumPeerTestBase;
import org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.test.ClientBase;
import org.apache.pulsar.functions.runtime.shaded.org.junit.After;
import org.apache.pulsar.functions.runtime.shaded.org.junit.Assert;
import org.apache.pulsar.functions.runtime.shaded.org.junit.Before;
import org.apache.pulsar.functions.runtime.shaded.org.junit.Rule;
import org.apache.pulsar.functions.runtime.shaded.org.junit.Test;
import org.apache.pulsar.functions.runtime.shaded.org.junit.rules.Timeout;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ocsp.OCSPResponse;
import org.bouncycastle.asn1.ocsp.OCSPResponseStatus;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.CRLDistPoint;
import org.bouncycastle.asn1.x509.CRLNumber;
import org.bouncycastle.asn1.x509.DistributionPoint;
import org.bouncycastle.asn1.x509.DistributionPointName;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
import org.bouncycastle.cert.X509CRLHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.cert.bc.BcX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.cert.ocsp.CertificateID;
import org.bouncycastle.cert.ocsp.CertificateStatus;
import org.bouncycastle.cert.ocsp.OCSPException;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import org.bouncycastle.cert.ocsp.Req;
import org.bouncycastle.cert.ocsp.UnknownStatus;
import org.bouncycastle.cert.ocsp.jcajce.JcaBasicOCSPRespBuilder;
import org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID;
import org.bouncycastle.crypto.util.PublicKeyFactory;
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.MiscPEMGenerator;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.DigestCalculator;
import org.bouncycastle.operator.OperatorException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.io.pem.PemWriter;

/* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/org/apache/zookeeper/server/quorum/QuorumSSLTest.class */
public class QuorumSSLTest extends QuorumPeerTestBase {
    private static final String SSL_QUORUM_ENABLED = "sslQuorum=true\n";
    private static final String PORT_UNIFICATION_ENABLED = "portUnification=true\n";
    private static final String PORT_UNIFICATION_DISABLED = "portUnification=false\n";
    private static final char[] PASSWORD = "testpass".toCharArray();
    private static final String HOSTNAME = "localhost";
    private QuorumX509Util quorumX509Util;
    private QuorumPeerTestBase.MainThread q1;
    private QuorumPeerTestBase.MainThread q2;
    private QuorumPeerTestBase.MainThread q3;
    private int clientPortQp1;
    private int clientPortQp2;
    private int clientPortQp3;
    private String tmpDir;
    private String quorumConfiguration;
    private String validKeystorePath;
    private String truststorePath;
    private KeyPair rootKeyPair;
    private X509Certificate rootCertificate;
    private KeyPair defaultKeyPair;
    private ContentSigner contentSigner;
    private Date certStartTime;
    private Date certEndTime;

    @Rule
    public Timeout timeout = Timeout.builder().withTimeout(5, TimeUnit.MINUTES).withLookingForStuckThread(true).build();

    /* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/org/apache/zookeeper/server/quorum/QuorumSSLTest$OCSPHandler.class */
    private class OCSPHandler implements HttpHandler {
        private X509Certificate revokedCert;

        public OCSPHandler(X509Certificate x509Certificate) {
            this.revokedCert = x509Certificate;
        }

        public void handle(HttpExchange httpExchange) throws IOException {
            byte[] encoded;
            try {
                byte[] bArr = new byte[10000];
                httpExchange.getRequestBody().read(bArr);
                Req[] requestList = new OCSPReq(bArr).getRequestList();
                DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
                JcaBasicOCSPRespBuilder jcaBasicOCSPRespBuilder = new JcaBasicOCSPRespBuilder(QuorumSSLTest.this.rootKeyPair.getPublic(), digestCalculator);
                for (Req req : requestList) {
                    CertificateID certID = req.getCertID();
                    jcaBasicOCSPRespBuilder.addResponse(certID, new JcaCertificateID(digestCalculator, QuorumSSLTest.this.rootCertificate, this.revokedCert.getSerialNumber()).equals(certID) ? new UnknownStatus() : CertificateStatus.GOOD, null);
                }
                encoded = new OCSPRespBuilder().build(0, jcaBasicOCSPRespBuilder.build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(QuorumSSLTest.this.rootKeyPair.getPrivate()), new X509CertificateHolder[]{new JcaX509CertificateHolder(QuorumSSLTest.this.rootCertificate)}, Calendar.getInstance().getTime())).getEncoded();
            } catch (CertificateEncodingException | OCSPException | OperatorException e) {
                encoded = new OCSPResp(new OCSPResponse(new OCSPResponseStatus(2), null)).getEncoded();
            }
            httpExchange.getResponseHeaders().set("Content-Type", "application/ocsp-response");
            httpExchange.sendResponseHeaders(200, encoded.length);
            OutputStream responseBody = httpExchange.getResponseBody();
            responseBody.write(encoded);
            responseBody.close();
        }
    }

    @Before
    public void setup() throws Exception {
        this.quorumX509Util = new QuorumX509Util();
        ClientBase.setupTestEnv();
        this.tmpDir = ClientBase.createTmpDir().getAbsolutePath();
        this.clientPortQp1 = PortAssignment.unique();
        this.clientPortQp2 = PortAssignment.unique();
        this.clientPortQp3 = PortAssignment.unique();
        this.validKeystorePath = this.tmpDir + "/valid.jks";
        this.truststorePath = this.tmpDir + "/truststore.jks";
        this.quorumConfiguration = generateQuorumConfiguration();
        Security.addProvider(new BouncyCastleProvider());
        this.certStartTime = new Date();
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(this.certStartTime);
        calendar.add(1, 1);
        this.certEndTime = calendar.getTime();
        this.rootKeyPair = createKeyPair();
        this.contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(this.rootKeyPair.getPrivate());
        this.rootCertificate = createSelfSignedCertifcate(this.rootKeyPair);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, PASSWORD);
        keyStore.setCertificateEntry(this.rootCertificate.getSubjectDN().toString(), this.rootCertificate);
        FileOutputStream fileOutputStream = new FileOutputStream(this.truststorePath);
        keyStore.store(fileOutputStream, PASSWORD);
        fileOutputStream.flush();
        fileOutputStream.close();
        this.defaultKeyPair = createKeyPair();
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", "127.0.0.1", null, null), this.defaultKeyPair, this.validKeystorePath);
        setSSLSystemProperties();
    }

    private void writeKeystore(X509Certificate x509Certificate, KeyPair keyPair, String str) throws Exception {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, PASSWORD);
        keyStore.setKeyEntry("alias", keyPair.getPrivate(), PASSWORD, new Certificate[]{x509Certificate});
        FileOutputStream fileOutputStream = new FileOutputStream(str);
        keyStore.store(fileOutputStream, PASSWORD);
        fileOutputStream.flush();
        fileOutputStream.close();
    }

    private X509Certificate createSelfSignedCertifcate(KeyPair keyPair) throws Exception {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, "localhost");
        return new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(x500NameBuilder.build(), new BigInteger(128, new Random()), this.certStartTime, this.certEndTime, x500NameBuilder.build(), keyPair.getPublic()).addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(0)).addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(134)).build(this.contentSigner));
    }

    private void buildCRL(X509Certificate x509Certificate, String str) throws Exception {
        JcaX509v2CRLBuilder jcaX509v2CRLBuilder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), this.certStartTime);
        jcaX509v2CRLBuilder.addCRLEntry(x509Certificate.getSerialNumber(), this.certStartTime, 2);
        jcaX509v2CRLBuilder.setNextUpdate(this.certEndTime);
        jcaX509v2CRLBuilder.addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(this.rootCertificate));
        jcaX509v2CRLBuilder.addExtension(Extension.cRLNumber, false, (ASN1Encodable) new CRLNumber(new BigInteger("1000")));
        X509CRLHolder build = jcaX509v2CRLBuilder.build(this.contentSigner);
        PemWriter pemWriter = new PemWriter(new FileWriter(str));
        pemWriter.writeObject(new MiscPEMGenerator(build));
        pemWriter.flush();
        pemWriter.close();
    }

    public X509Certificate buildEndEntityCert(KeyPair keyPair, X509Certificate x509Certificate, PrivateKey privateKey, String str, String str2, String str3, Integer num) throws Exception {
        JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate);
        ContentSigner build = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(privateKey);
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            arrayList.add(new GeneralName(2, str));
        }
        if (str2 != null) {
            arrayList.add(new GeneralName(7, str2));
        }
        SubjectPublicKeyInfo createSubjectPublicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(PublicKeyFactory.createKey(keyPair.getPublic().getEncoded()));
        BcX509ExtensionUtils bcX509ExtensionUtils = new BcX509ExtensionUtils();
        X509v3CertificateBuilder addExtension = new JcaX509v3CertificateBuilder(jcaX509CertificateHolder.getSubject(), new BigInteger(128, new Random()), this.certStartTime, this.certEndTime, new X500Name("CN=Test End Entity Certificate"), keyPair.getPublic()).addExtension(Extension.authorityKeyIdentifier, false, (ASN1Encodable) bcX509ExtensionUtils.createAuthorityKeyIdentifier(jcaX509CertificateHolder)).addExtension(Extension.subjectKeyIdentifier, false, (ASN1Encodable) bcX509ExtensionUtils.createSubjectKeyIdentifier(createSubjectPublicKeyInfo)).addExtension(Extension.basicConstraints, true, (ASN1Encodable) new BasicConstraints(false)).addExtension(Extension.keyUsage, true, (ASN1Encodable) new KeyUsage(160));
        if (!arrayList.isEmpty()) {
            addExtension.addExtension(Extension.subjectAlternativeName, true, (ASN1Encodable) new GeneralNames((GeneralName[]) arrayList.toArray(new GeneralName[0])));
        }
        if (str3 != null) {
            addExtension.addExtension(Extension.cRLDistributionPoints, false, (ASN1Encodable) new CRLDistPoint(new DistributionPoint[]{new DistributionPoint(new DistributionPointName(new GeneralNames(new GeneralName(6, "file://" + str3))), null, null)}));
        }
        if (num != null) {
            addExtension.addExtension(Extension.authorityInfoAccess, false, (ASN1Encodable) new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, new GeneralName(6, "http://" + str + ":" + num)));
        }
        return new JcaX509CertificateConverter().getCertificate(addExtension.build(build));
    }

    private KeyPair createKeyPair() throws NoSuchProviderException, NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(4096);
        return keyPairGenerator.genKeyPair();
    }

    private String generateQuorumConfiguration() {
        StringBuilder sb = new StringBuilder();
        int unique = PortAssignment.unique();
        int unique2 = PortAssignment.unique();
        int unique3 = PortAssignment.unique();
        int unique4 = PortAssignment.unique();
        int unique5 = PortAssignment.unique();
        int unique6 = PortAssignment.unique();
        sb.append(String.format("server.1=127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique), Integer.valueOf(unique4), Integer.valueOf(this.clientPortQp1)));
        sb.append(String.format("server.2=127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique2), Integer.valueOf(unique5), Integer.valueOf(this.clientPortQp2)));
        sb.append(String.format("server.3=127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique3), Integer.valueOf(unique6), Integer.valueOf(this.clientPortQp3)));
        return sb.toString();
    }

    private String generateMultiAddressQuorumConfiguration() {
        StringBuilder sb = new StringBuilder();
        int unique = PortAssignment.unique();
        int unique2 = PortAssignment.unique();
        int unique3 = PortAssignment.unique();
        int unique4 = PortAssignment.unique();
        int unique5 = PortAssignment.unique();
        int unique6 = PortAssignment.unique();
        int unique7 = PortAssignment.unique();
        int unique8 = PortAssignment.unique();
        int unique9 = PortAssignment.unique();
        int unique10 = PortAssignment.unique();
        int unique11 = PortAssignment.unique();
        int unique12 = PortAssignment.unique();
        sb.append(String.format("server.1=127.0.0.1:%d:%d|127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique), Integer.valueOf(unique7), Integer.valueOf(unique2), Integer.valueOf(unique8), Integer.valueOf(this.clientPortQp1)));
        sb.append(String.format("server.2=127.0.0.1:%d:%d|127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique3), Integer.valueOf(unique9), Integer.valueOf(unique4), Integer.valueOf(unique10), Integer.valueOf(this.clientPortQp2)));
        sb.append(String.format("server.3=127.0.0.1:%d:%d|127.0.0.1:%d:%d;%d\n", Integer.valueOf(unique5), Integer.valueOf(unique11), Integer.valueOf(unique6), Integer.valueOf(unique12), Integer.valueOf(this.clientPortQp3)));
        return sb.toString();
    }

    public void setSSLSystemProperties() {
        System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.server.NettyServerCnxnFactory");
        System.setProperty("zookeeper.clientCnxnSocket", "org.apache.pulsar.functions.runtime.shaded.org.apache.zookeeper.ClientCnxnSocketNetty");
        System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), this.validKeystorePath);
        System.setProperty(this.quorumX509Util.getSslKeystorePasswdProperty(), "testpass");
        System.setProperty(this.quorumX509Util.getSslTruststoreLocationProperty(), this.truststorePath);
        System.setProperty(this.quorumX509Util.getSslTruststorePasswdProperty(), "testpass");
    }

    @After
    public void cleanUp() throws Exception {
        System.clearProperty(QuorumPeer.CONFIG_KEY_MULTI_ADDRESS_ENABLED);
        clearSSLSystemProperties();
        if (this.q1 != null) {
            this.q1.shutdown();
        }
        if (this.q2 != null) {
            this.q2.shutdown();
        }
        if (this.q3 != null) {
            this.q3.shutdown();
        }
        Security.removeProvider("BC");
        this.quorumX509Util.close();
    }

    private void clearSSLSystemProperties() {
        System.clearProperty(this.quorumX509Util.getSslKeystoreLocationProperty());
        System.clearProperty(this.quorumX509Util.getSslKeystorePasswdProperty());
        System.clearProperty(this.quorumX509Util.getSslTruststoreLocationProperty());
        System.clearProperty(this.quorumX509Util.getSslTruststorePasswdProperty());
        System.clearProperty(this.quorumX509Util.getSslHostnameVerificationEnabledProperty());
        System.clearProperty(this.quorumX509Util.getSslOcspEnabledProperty());
        System.clearProperty(this.quorumX509Util.getSslCrlEnabledProperty());
        System.clearProperty(this.quorumX509Util.getCipherSuitesProperty());
        System.clearProperty(this.quorumX509Util.getSslProtocolProperty());
    }

    @Test
    public void testQuorumSSL() throws Exception {
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        clearSSLSystemProperties();
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration);
        this.q3.start();
        Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
    }

    @Test
    public void testQuorumSSLWithMultipleAddresses() throws Exception {
        System.setProperty(QuorumPeer.CONFIG_KEY_MULTI_ADDRESS_ENABLED, "true");
        this.quorumConfiguration = generateMultiAddressQuorumConfiguration();
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        clearSSLSystemProperties();
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration);
        this.q3.start();
        Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
    }

    @Test
    public void testRollingUpgrade() throws Exception {
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration);
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration);
        HashMap hashMap = new HashMap();
        hashMap.put(Integer.valueOf(this.clientPortQp1), this.q1);
        hashMap.put(Integer.valueOf(this.clientPortQp2), this.q2);
        hashMap.put(Integer.valueOf(this.clientPortQp3), this.q3);
        Iterator<QuorumPeerTestBase.MainThread> it = hashMap.values().iterator();
        while (it.hasNext()) {
            it.next().start();
        }
        Iterator<Integer> it2 = hashMap.keySet().iterator();
        while (it2.hasNext()) {
            Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + it2.next().intValue(), ClientBase.CONNECTION_TIMEOUT));
        }
        setSSLSystemProperties();
        stopAppendConfigRestartAll(hashMap, PORT_UNIFICATION_ENABLED);
        stopAppendConfigRestartAll(hashMap, SSL_QUORUM_ENABLED);
        stopAppendConfigRestartAll(hashMap, PORT_UNIFICATION_DISABLED);
    }

    private void stopAppendConfigRestartAll(Map<Integer, QuorumPeerTestBase.MainThread> map, String str) throws Exception {
        for (Map.Entry<Integer, QuorumPeerTestBase.MainThread> entry : map.entrySet()) {
            int intValue = entry.getKey().intValue();
            QuorumPeerTestBase.MainThread value = entry.getValue();
            value.shutdown();
            Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + intValue, ClientBase.CONNECTION_TIMEOUT));
            FileWriter fileWriter = new FileWriter(value.getConfFile(), true);
            fileWriter.write(str);
            fileWriter.flush();
            fileWriter.close();
            value.start();
            Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + intValue, ClientBase.CONNECTION_TIMEOUT));
        }
    }

    @Test
    public void testHostnameVerificationWithInvalidHostname() throws Exception {
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "bleepbloop", null, null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, false);
    }

    @Test
    public void testHostnameVerificationWithInvalidIPAddress() throws Exception {
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), null, "140.211.11.105", null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, false);
    }

    @Test
    public void testHostnameVerificationWithInvalidIpAddressAndInvalidHostname() throws Exception {
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "bleepbloop", "140.211.11.105", null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, false);
    }

    @Test
    public void testHostnameVerificationForInvalidMultiAddressServerConfig() throws Exception {
        System.setProperty(QuorumPeer.CONFIG_KEY_MULTI_ADDRESS_ENABLED, "true");
        this.quorumConfiguration = generateMultiAddressQuorumConfiguration();
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "bleepbloop", "140.211.11.105", null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, false);
    }

    @Test
    public void testHostnameVerificationWithInvalidIpAddressAndValidHostname() throws Exception {
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", "140.211.11.105", null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, true);
    }

    @Test
    public void testHostnameVerificationWithValidIpAddressAndInvalidHostname() throws Exception {
        String str = this.tmpDir + "/badhost.jks";
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "bleepbloop", "127.0.0.1", null, null), this.defaultKeyPair, str);
        testHostnameVerification(str, true);
    }

    private void testHostnameVerification(String str, boolean z) throws Exception {
        System.setProperty(this.quorumX509Util.getSslHostnameVerificationEnabledProperty(), "false");
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q3.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
        this.q1.shutdown();
        this.q2.shutdown();
        this.q3.shutdown();
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
        setSSLSystemProperties();
        System.clearProperty(this.quorumX509Util.getSslHostnameVerificationEnabledProperty());
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
        this.q3.start();
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT)));
    }

    @Test
    public void testCertificateRevocationList() throws Exception {
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        String str = this.tmpDir + "/crl_revoked.jks";
        String str2 = this.tmpDir + "/crl.pem";
        X509Certificate buildEndEntityCert = buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", null, str2, null);
        writeKeystore(buildEndEntityCert, this.defaultKeyPair, str);
        buildCRL(buildEndEntityCert, str2);
        System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q3.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
        this.q1.shutdown();
        this.q2.shutdown();
        this.q3.shutdown();
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
        setSSLSystemProperties();
        System.setProperty(this.quorumX509Util.getSslCrlEnabledProperty(), "true");
        writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", null, str2, null), this.defaultKeyPair, this.validKeystorePath);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
        this.q3.start();
        Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
    }

    @Test
    public void testOCSP() throws Exception {
        Integer valueOf = Integer.valueOf(PortAssignment.unique());
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        String str = this.tmpDir + "/ocsp_revoked.jks";
        X509Certificate buildEndEntityCert = buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", null, null, valueOf);
        writeKeystore(buildEndEntityCert, this.defaultKeyPair, str);
        HttpServer create = HttpServer.create(new InetSocketAddress(valueOf.intValue()), 0);
        try {
            create.createContext("/", new OCSPHandler(buildEndEntityCert));
            create.start();
            System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
            this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration, SSL_QUORUM_ENABLED);
            this.q3.start();
            Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
            this.q1.shutdown();
            this.q2.shutdown();
            this.q3.shutdown();
            Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
            Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
            Assert.assertTrue(ClientBase.waitForServerDown("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
            setSSLSystemProperties();
            System.setProperty(this.quorumX509Util.getSslOcspEnabledProperty(), "true");
            writeKeystore(buildEndEntityCert(this.defaultKeyPair, this.rootCertificate, this.rootKeyPair.getPrivate(), "localhost", null, null, valueOf), this.defaultKeyPair, this.validKeystorePath);
            this.q1.start();
            this.q2.start();
            Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
            Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
            System.setProperty(this.quorumX509Util.getSslKeystoreLocationProperty(), str);
            this.q3.start();
            Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
            create.stop(0);
        } catch (Throwable th) {
            create.stop(0);
            throw th;
        }
    }

    @Test
    public void testCipherSuites() throws Exception {
        SSLServerSocketFactory sSLServerSocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
        ArrayList arrayList = new ArrayList();
        for (String str : sSLServerSocketFactory.getDefaultCipherSuites()) {
            if (!str.matches(".*EMPTY.*") && str.startsWith("TLS") && str.contains("RSA")) {
                arrayList.add(str);
            }
        }
        if (arrayList.size() < 2) {
            Assert.fail("JDK has to support at least 2 valid (RSA) cipher suites for this test to run");
        }
        System.setProperty(this.quorumX509Util.getCipherSuitesProperty(), String.join(",", arrayList.subList(1, arrayList.size())));
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        System.setProperty(this.quorumX509Util.getCipherSuitesProperty(), (String) arrayList.get(0));
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q3.start();
        Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
    }

    @Test
    public void testProtocolVersion() throws Exception {
        System.setProperty(this.quorumX509Util.getSslProtocolProperty(), X509Util.DEFAULT_PROTOCOL);
        this.q1 = new QuorumPeerTestBase.MainThread(1, this.clientPortQp1, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q2 = new QuorumPeerTestBase.MainThread(2, this.clientPortQp2, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q1.start();
        this.q2.start();
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp1, ClientBase.CONNECTION_TIMEOUT));
        Assert.assertTrue(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp2, ClientBase.CONNECTION_TIMEOUT));
        System.setProperty(this.quorumX509Util.getSslProtocolProperty(), "TLSv1.1");
        this.q3 = new QuorumPeerTestBase.MainThread(3, this.clientPortQp3, this.quorumConfiguration, SSL_QUORUM_ENABLED);
        this.q3.start();
        Assert.assertFalse(ClientBase.waitForServerUp("127.0.0.1:" + this.clientPortQp3, ClientBase.CONNECTION_TIMEOUT));
    }
}
