package org.xipki.ca.mgmt.shell;

import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.xipki.ca.api.mgmt.CaMgmtException;
import org.xipki.ca.api.mgmt.CertListInfo;
import org.xipki.ca.api.mgmt.CertListOrderBy;
import org.xipki.ca.api.mgmt.CertWithRevocationInfo;
import org.xipki.ca.api.mgmt.MgmtEntry;
import org.xipki.ca.mgmt.shell.CaActions;
import org.xipki.ca.mgmt.shell.CaCompleters;
import org.xipki.security.CrlReason;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.util.DateUtil;
import org.xipki.util.InvalidConfException;
import org.xipki.util.IoUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions.class */
public class CertActions {

    @Service
    @Command(scope = "ca", name = "cert-status", description = "show certificate status and save the certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$CertStatus.class */
    public static class CertStatus extends UnRevRmCertAction {

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            CertWithRevocationInfo cert = this.caManager.getCert(this.caName, getSerialNumber());
            if (cert == null) {
                System.out.println("certificate unknown");
                return null;
            }
            String[] strArr = new String[3];
            strArr[0] = cert.getCertprofile();
            strArr[1] = "\nstatus: ";
            strArr[2] = cert.getRevInfo() == null ? "good" : "revoked with " + cert.getRevInfo();
            println(StringUtil.concat("certificate profile: ", strArr));
            if (this.outputFile == null) {
                return null;
            }
            saveVerbose("saved certificate to file", this.outputFile, encodeCert(cert.getCert().getEncodedCert(), this.outform));
            return null;
        }
    }

    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$CrlAction.class */
    public static abstract class CrlAction extends CaActions.CaAction {

        @Option(name = "--ca", required = true, description = "CA name")
        @Completion(CaCompleters.CaNameCompleter.class)
        protected String caName;

        @Option(name = "--outform", description = "output format of the CRL")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        protected abstract X509CRL retrieveCrl() throws Exception;

        protected Object execute0() throws Exception {
            if (this.caManager.getCa(this.caName) == null) {
                throw new CmdFailure("CA " + this.caName + " not available");
            }
            try {
                X509CRL retrieveCrl = retrieveCrl();
                if (retrieveCrl == null) {
                    throw new CmdFailure("received no CRL from server");
                }
                String outFile = getOutFile();
                if (outFile == null) {
                    return null;
                }
                saveVerbose("saved CRL to file", outFile, encodeCrl(retrieveCrl.getEncoded(), this.outform));
                return null;
            } catch (Exception e) {
                throw new CmdFailure("received no CRL from server: " + e.getMessage());
            }
        }

        protected abstract String getOutFile();
    }

    @Service
    @Command(scope = "ca", name = "enroll-cert", description = "enroll certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$EnrollCert.class */
    public static class EnrollCert extends CaActions.CaAction {

        @Option(name = "--ca", required = true, description = "CA name")
        @Completion(CaCompleters.CaNameCompleter.class)
        private String caName;

        @Option(name = "--csr", required = true, description = "CSR file")
        @Completion(FileCompleter.class)
        private String csrFile;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outFile;

        @Option(name = "--profile", aliases = {"-p"}, required = true, description = "profile name")
        @Completion(CaCompleters.ProfileNameCompleter.class)
        private String profileName;

        @Option(name = "--not-before", description = "notBefore, UTC time of format yyyyMMddHHmmss")
        private String notBeforeS;

        @Option(name = "--not-after", description = "notAfter, UTC time of format yyyyMMddHHmmss")
        private String notAfterS;

        protected Object execute0() throws Exception {
            if (this.caManager.getCa(this.caName) == null) {
                throw new CmdFailure("CA " + this.caName + " not available");
            }
            saveVerbose("saved certificate to file", this.outFile, encodeCert(this.caManager.generateCertificate(this.caName, this.profileName, IoUtil.read(this.csrFile), StringUtil.isNotBlank(this.notBeforeS) ? DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notBeforeS) : null, StringUtil.isNotBlank(this.notAfterS) ? DateUtil.parseUtcTimeyyyyMMddhhmmss(this.notAfterS) : null).getEncoded(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "ca", name = "gen-crl", description = "generate CRL")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$GenCrl.class */
    public static class GenCrl extends CrlAction {

        @Option(name = "--out", aliases = {"-o"}, description = "where to save the CRL")
        @Completion(FileCompleter.class)
        protected String outFile;

        @Override // org.xipki.ca.mgmt.shell.CertActions.CrlAction
        protected X509CRL retrieveCrl() throws Exception {
            return this.caManager.generateCrlOnDemand(this.caName);
        }

        @Override // org.xipki.ca.mgmt.shell.CertActions.CrlAction
        protected String getOutFile() {
            return this.outFile;
        }
    }

    @Service
    @Command(scope = "ca", name = "get-cert", description = "get certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$GetCert.class */
    public static class GetCert extends CaActions.CaAction {

        @Option(name = "--ca", required = true, description = "CA name")
        @Completion(CaCompleters.CaNameCompleter.class)
        protected String caName;

        @Option(name = "--serial", aliases = {"-s"}, required = true, description = "serial number")
        private String serialNumberS;

        @Option(name = "--outform", description = "output format of the certificate")
        @Completion(Completers.DerPemCompleter.class)
        protected String outform = "der";

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the certificate")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            CertWithRevocationInfo cert = this.caManager.getCert(this.caName, toBigInt(this.serialNumberS));
            if (cert == null) {
                System.out.println("certificate unknown");
                return null;
            }
            saveVerbose("certificate saved to file", this.outputFile, encodeCert(cert.getCert().getEncodedCert(), this.outform));
            return null;
        }
    }

    @Service
    @Command(scope = "ca", name = "get-crl", description = "download CRL")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$GetCrl.class */
    public static class GetCrl extends CrlAction {

        @Option(name = "--with-basecrl", description = "whether to retrieve the baseCRL if the current CRL is a delta CRL")
        private Boolean withBaseCrl = Boolean.FALSE;

        @Option(name = "--basecrl-out", description = "where to save the baseCRL\n(defaults to <out>-baseCRL)")
        @Completion(FileCompleter.class)
        private String baseCrlOut;

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the CRL")
        @Completion(FileCompleter.class)
        protected String outFile;

        @Override // org.xipki.ca.mgmt.shell.CertActions.CrlAction
        protected X509CRL retrieveCrl() throws Exception {
            return this.caManager.getCurrentCrl(this.caName);
        }

        @Override // org.xipki.ca.mgmt.shell.CertActions.CrlAction
        protected Object execute0() throws Exception {
            byte[] extensionValue;
            if (this.caManager.getCa(this.caName) == null) {
                throw new CmdFailure("CA " + this.caName + " not available");
            }
            try {
                X509CRL retrieveCrl = retrieveCrl();
                if (retrieveCrl == null) {
                    throw new CmdFailure("received no CRL from server");
                }
                saveVerbose("saved CRL to file", this.outFile, encodeCrl(retrieveCrl.getEncoded(), this.outform));
                if (!this.withBaseCrl.booleanValue() || (extensionValue = retrieveCrl.getExtensionValue(Extension.deltaCRLIndicator.getId())) == null) {
                    return null;
                }
                if (this.baseCrlOut == null) {
                    this.baseCrlOut = this.outFile + "-baseCRL";
                }
                try {
                    X509CRL crl = this.caManager.getCrl(this.caName, ASN1Integer.getInstance(DEROctetString.getInstance(extensionValue).getOctets()).getPositiveValue());
                    if (crl == null) {
                        throw new CmdFailure("received no baseCRL from server");
                    }
                    saveVerbose("saved baseCRL to file", this.baseCrlOut, encodeCrl(crl.getEncoded(), this.outform));
                    return null;
                } catch (Exception e) {
                    throw new CmdFailure("received no baseCRL from server: " + e.getMessage());
                }
            } catch (Exception e2) {
                throw new CmdFailure("received no CRL from server: " + e2.getMessage());
            }
        }

        @Override // org.xipki.ca.mgmt.shell.CertActions.CrlAction
        protected String getOutFile() {
            return this.outFile;
        }
    }

    @Service
    @Command(scope = "ca", name = "get-request", description = "get the request to enroll certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$GetRequest.class */
    public static class GetRequest extends UnRevRmCertAction {

        @Option(name = "--out", aliases = {"-o"}, required = true, description = "where to save the request")
        @Completion(FileCompleter.class)
        private String outputFile;

        protected Object execute0() throws Exception {
            byte[] certRequest = this.caManager.getCertRequest(this.caName, getSerialNumber());
            if (certRequest == null) {
                System.out.println("unknown request unknown");
                return null;
            }
            saveVerbose("request saved to file", this.outputFile, certRequest);
            return null;
        }
    }

    @Service
    @Command(scope = "ca", name = "list-cert", description = "show a list of certificates")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$ListCert.class */
    public static class ListCert extends CaActions.CaAction {

        @Option(name = "--ca", required = true, description = "CA name")
        @Completion(CaCompleters.CaNameCompleter.class)
        protected String caName;

        @Option(name = "--subject", description = "the subject pattern, * is allowed.")
        protected String subjectPatternS;

        @Option(name = "--valid-from", description = "start UTC time when the certificate is still valid, in form ofyyyyMMdd or yyyyMMddHHmmss")
        private String validFromS;

        @Option(name = "--valid-to", description = "end UTC time when the certificate is still valid, in form ofyyyMMdd or yyyyMMddHHmmss")
        private String validToS;

        @Option(name = "-n", description = "maximal number of entries (between 1 and 1000)")
        private int num = 1000;

        @Option(name = "--order", description = "by which the result is ordered")
        @Completion(CaCompleters.CertListSortByCompleter.class)
        private String orderByS;

        protected Object execute0() throws Exception {
            Date date = getDate(this.validFromS);
            Date date2 = getDate(this.validToS);
            X500Name x500Name = StringUtil.isNotBlank(this.subjectPatternS) ? new X500Name(this.subjectPatternS) : null;
            CertListOrderBy certListOrderBy = null;
            if (this.orderByS != null) {
                certListOrderBy = CertListOrderBy.forValue(this.orderByS);
                if (certListOrderBy == null) {
                    throw new IllegalCmdParamException("invalid order '" + this.orderByS + "'");
                }
            }
            List listCertificates = this.caManager.listCertificates(this.caName, x500Name, date, date2, certListOrderBy, this.num);
            int size = listCertificates.size();
            if (size == 0) {
                println("found no certificate");
                return null;
            }
            println("     | serial               | notBefore      | notAfter       | subject");
            println("-----+----------------------+----------------+----------------+-----------------");
            for (int i = 0; i < size; i++) {
                println(format(i + 1, (CertListInfo) listCertificates.get(i)));
            }
            return null;
        }

        private String format(int i, CertListInfo certListInfo) {
            return StringUtil.concat(StringUtil.formatAccount(i, 4), new String[]{" | ", StringUtil.formatText(certListInfo.getSerialNumber().toString(16), 20), " | ", DateUtil.toUtcTimeyyyyMMddhhmmss(certListInfo.getNotBefore()), " | ", DateUtil.toUtcTimeyyyyMMddhhmmss(certListInfo.getNotAfter()), " | ", certListInfo.getSubject()});
        }

        private Date getDate(String str) throws IllegalCmdParamException {
            if (str == null) {
                return null;
            }
            int length = str.length();
            try {
                if (length == 8) {
                    return DateUtil.parseUtcTimeyyyyMMdd(str);
                }
                if (length == 14) {
                    return DateUtil.parseUtcTimeyyyyMMddhhmmss(str);
                }
                throw new IllegalCmdParamException("invalid time " + str);
            } catch (IllegalArgumentException e) {
                throw new IllegalCmdParamException("invalid time " + str + ": " + e.getMessage(), e);
            }
        }
    }

    @Service
    @Command(scope = "ca", name = "revoke-cert", description = "revoke certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$RevokeCert.class */
    public static class RevokeCert extends UnRevRmCertAction {

        @Option(name = "--reason", aliases = {"-r"}, required = true, description = "CRL reason")
        @Completion(Completers.ClientCrlReasonCompleter.class)
        private String reason;

        @Option(name = "--inv-date", description = "invalidity date, UTC time of format yyyyMMddHHmmss")
        private String invalidityDateS;

        protected Object execute0() throws Exception {
            CrlReason forNameOrText = CrlReason.forNameOrText(this.reason);
            if (!CrlReason.PERMITTED_CLIENT_CRLREASONS.contains(forNameOrText)) {
                throw new InvalidConfException("reason " + this.reason + " is not permitted");
            }
            Date date = null;
            if (isNotBlank(this.invalidityDateS)) {
                date = DateUtil.parseUtcTimeyyyyMMddhhmmss(this.invalidityDateS);
            }
            BigInteger serialNumber = getSerialNumber();
            String str = "certificate (serial number = 0x" + serialNumber.toString(16) + ")";
            try {
                this.caManager.revokeCertificate(this.caName, serialNumber, forNameOrText, date);
                println("revoked " + str);
                return null;
            } catch (CaMgmtException e) {
                throw new CmdFailure("could not revoke " + str + ", error: " + e.getMessage(), e);
            }
        }
    }

    @Service
    @Command(scope = "ca", name = "rm-cert", description = "remove certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$RmCert.class */
    public static class RmCert extends UnRevRmCertAction {

        @Option(name = "--force", aliases = {"-f"}, description = "without prompt")
        private Boolean force = Boolean.FALSE;

        protected Object execute0() throws Exception {
            BigInteger serialNumber = getSerialNumber();
            String str = "certificate (serial number = 0x" + serialNumber.toString(16) + ")";
            if (!this.force.booleanValue() && !confirm("Do you want to remove " + str, 3)) {
                return null;
            }
            try {
                this.caManager.removeCertificate(this.caName, serialNumber);
                println("removed " + str);
                return null;
            } catch (CaMgmtException e) {
                throw new CmdFailure("could not remove " + str + ", error: " + e.getMessage(), e);
            }
        }
    }

    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$UnRevRmCertAction.class */
    public static abstract class UnRevRmCertAction extends CaActions.CaAction {

        @Option(name = "--ca", required = true, description = "CA name")
        @Completion(CaCompleters.CaNameCompleter.class)
        protected String caName;

        @Option(name = "--cert", aliases = {"-c"}, description = "certificate file\n(either cert or serial must be specified)")
        @Completion(FileCompleter.class)
        protected String certFile;

        @Option(name = "--serial", aliases = {"-s"}, description = "serial number\n(either cert or serial must be specified)")
        private String serialNumberS;

        protected BigInteger getSerialNumber() throws CmdFailure, IllegalCmdParamException, CertificateException, IOException, CaMgmtException {
            BigInteger serialNumber;
            MgmtEntry.Ca ca = this.caManager.getCa(this.caName);
            if (ca == null) {
                throw new CmdFailure("CA " + this.caName + " not available");
            }
            if (this.serialNumberS != null) {
                serialNumber = toBigInt(this.serialNumberS);
            } else {
                if (this.certFile == null) {
                    throw new IllegalCmdParamException("neither serialNumber nor certFile is specified");
                }
                X509Certificate cert = ca.getCert();
                X509Certificate parseCert = X509Util.parseCert(new File(this.certFile));
                if (!X509Util.issues(cert, parseCert)) {
                    throw new CmdFailure("certificate '" + this.certFile + "' is not issued by CA " + this.caName);
                }
                serialNumber = parseCert.getSerialNumber();
            }
            return serialNumber;
        }
    }

    @Service
    @Command(scope = "ca", name = "unrevoke-cert", description = "unrevoke certificate")
    /* loaded from: input_file:org/xipki/ca/mgmt/shell/CertActions$UnrevokeCert.class */
    public static class UnrevokeCert extends UnRevRmCertAction {
        protected Object execute0() throws Exception {
            BigInteger serialNumber = getSerialNumber();
            String str = "certificate (serial number = 0x" + serialNumber.toString(16) + ")";
            try {
                this.caManager.unrevokeCertificate(this.caName, serialNumber);
                println("unrevoked " + str);
                return null;
            } catch (CaMgmtException e) {
                throw new CmdFailure("could not unrevoke " + str + ", error: " + e.getMessage(), e);
            }
        }
    }
}
