package org.xipki.ca.server.mgmt.qa.shell.cert;

import java.util.Set;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.CertificationRequest;
import org.bouncycastle.asn1.pkcs.CertificationRequestInfo;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extensions;
import org.xipki.ca.qa.QaSystemManager;
import org.xipki.ca.qa.X509CertprofileQa;
import org.xipki.ca.qa.X509IssuerInfo;
import org.xipki.ca.server.mgmt.qa.shell.completer.X509CertprofileNameCompleter;
import org.xipki.ca.server.mgmt.qa.shell.completer.X509IssuerNameCompleter;
import org.xipki.common.qa.ValidationIssue;
import org.xipki.common.qa.ValidationResult;
import org.xipki.common.util.IoUtil;
import org.xipki.console.karaf.CmdFailure;
import org.xipki.console.karaf.IllegalCmdParamException;
import org.xipki.console.karaf.XipkiCommandSupport;
import org.xipki.console.karaf.completer.FilePathCompleter;

@Service
@Command(scope = "xipki-caqa", name = "check-cert", description = "check the certificate")
/* loaded from: input_file:org/xipki/ca/server/mgmt/qa/shell/cert/CheckCertCmd.class */
public class CheckCertCmd extends XipkiCommandSupport {

    @Option(name = "--cert", aliases = {"-c"}, required = true, description = "certificate file\n(required)")
    @Completion(FilePathCompleter.class)
    private String certFile;

    @Option(name = "--issuer", description = "issuer name\nrequired if multiple issuers are configured")
    @Completion(X509IssuerNameCompleter.class)
    private String issuerName;

    @Option(name = "--csr", required = true, description = "CSR file\n(required)")
    @Completion(FilePathCompleter.class)
    private String csrFile;

    @Option(name = "--profile", aliases = {"-p"}, required = true, description = "certificate profile\n(required)")
    @Completion(X509CertprofileNameCompleter.class)
    private String profileName;

    @Option(name = "--verbose", aliases = {"-v"}, description = "show status verbosely")
    private Boolean verbose = Boolean.FALSE;

    @Reference
    private QaSystemManager qaSystemManager;

    protected Object execute0() throws Exception {
        Set issuerNames = this.qaSystemManager.issuerNames();
        if (isEmpty(issuerNames)) {
            throw new IllegalCmdParamException("no issuer is configured");
        }
        if (this.issuerName == null) {
            if (issuerNames.size() != 1) {
                throw new IllegalCmdParamException("no issuer is specified");
            }
            this.issuerName = (String) issuerNames.iterator().next();
        }
        if (!issuerNames.contains(this.issuerName)) {
            throw new IllegalCmdParamException("issuer " + this.issuerName + " is not within the configured issuers " + issuerNames);
        }
        X509IssuerInfo issuer = this.qaSystemManager.getIssuer(this.issuerName);
        X509CertprofileQa certprofile = this.qaSystemManager.getCertprofile(this.profileName);
        if (certprofile == null) {
            throw new IllegalCmdParamException("found no certificate profile named '" + this.profileName + "'");
        }
        Extensions extensions = null;
        CertificationRequestInfo certificationRequestInfo = CertificationRequest.getInstance(IoUtil.read(this.csrFile)).getCertificationRequestInfo();
        ASN1Set attributes = certificationRequestInfo.getAttributes();
        for (int i = 0; i < attributes.size(); i++) {
            Attribute attribute = Attribute.getInstance(attributes.getObjectAt(i));
            if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attribute.getAttrType())) {
                extensions = Extensions.getInstance(attribute.getAttributeValues()[0]);
            }
        }
        ValidationResult checkCert = certprofile.checkCert(IoUtil.read(this.certFile), issuer, certificationRequestInfo.getSubject(), certificationRequestInfo.getSubjectPublicKeyInfo(), extensions);
        StringBuilder sb = new StringBuilder();
        sb.append(this.certFile).append(" (certprofile ").append(this.profileName).append(")\n");
        sb.append("\tcertificate is ");
        sb.append(checkCert.isAllSuccessful() ? "valid" : "invalid");
        if (this.verbose.booleanValue()) {
            for (ValidationIssue validationIssue : checkCert.validationIssues()) {
                sb.append("\n");
                format(validationIssue, "    ", sb);
            }
        }
        println(sb.toString());
        if (checkCert.isAllSuccessful()) {
            return null;
        }
        throw new CmdFailure("certificate is invalid");
    }

    private static void format(ValidationIssue validationIssue, String str, StringBuilder sb) {
        sb.append(str).append(validationIssue.code());
        sb.append(", ").append(validationIssue.description());
        sb.append(", ").append(validationIssue.isFailed() ? "failed" : "successful");
        if (validationIssue.failureMessage() != null) {
            sb.append(", ").append(validationIssue.failureMessage());
        }
    }
}
