package org.xipki.qa.shell;

import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Set;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.bouncycastle.jcajce.spec.SM2ParameterSpec;
import org.xipki.security.HashAlgo;
import org.xipki.security.SignatureAlgoControl;
import org.xipki.security.pkcs11.P11CryptServiceFactory;
import org.xipki.security.pkcs11.provider.XiSM2ParameterSpec;
import org.xipki.security.util.AlgorithmUtil;
import org.xipki.shell.Completers;
import org.xipki.shell.DynamicEnumCompleter;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.shell.XiAction;
import org.xipki.util.CollectionUtil;
import org.xipki.util.StringUtil;

/* loaded from: input_file:org/xipki/qa/shell/QaP11Actions.class */
public class QaP11Actions {

    @Service
    /* loaded from: input_file:org/xipki/qa/shell/QaP11Actions$P11ModuleNameCompleter.class */
    public static class P11ModuleNameCompleter extends DynamicEnumCompleter {

        @Reference(optional = true)
        private P11CryptServiceFactory p11CryptServiceFactory;

        protected Set<String> getEnums() {
            Set<String> moduleNames = this.p11CryptServiceFactory.getModuleNames();
            return CollectionUtil.isEmpty(moduleNames) ? Collections.emptySet() : moduleNames;
        }
    }

    /* loaded from: input_file:org/xipki/qa/shell/QaP11Actions$P11SecurityAction.class */
    protected static abstract class P11SecurityAction extends XiAction {
        protected static final String DEFAULT_P11MODULE_NAME = "default";

        @Option(name = "--id", description = "id of the private key in the PKCS#11 device\neither keyId or keyLabel must be specified")
        protected String id;

        @Option(name = "--label", description = "label of the private key in the PKCS#11 device\neither keyId or keyLabel must be specified")
        protected String label;

        @Reference(optional = true)
        protected P11CryptServiceFactory p11CryptServiceFactory;

        @Option(name = "--module", description = "name of the PKCS#11 module")
        @Completion(P11ModuleNameCompleter.class)
        protected String moduleName = DEFAULT_P11MODULE_NAME;

        @Option(name = "--slot", description = "slot index")
        protected int slotIndex = 0;

        @Option(name = "--verbose", aliases = {"-v"}, description = "show object information verbosely")
        protected Boolean verbose = Boolean.FALSE;

        protected P11SecurityAction() {
        }

        protected abstract Object execute1(PrivateKey privateKey, Certificate certificate) throws Exception;

        protected String getAlias() throws IllegalCmdParamException {
            if (this.label != null && this.id == null) {
                return StringUtil.concat(this.moduleName, new String[]{"#slotindex-", Integer.toString(this.slotIndex), "#keylabel-", this.label});
            }
            if (this.label != null || this.id == null) {
                throw new IllegalCmdParamException("exactly one of id or label should be specified");
            }
            return StringUtil.concat(this.moduleName, new String[]{"#slotindex-", Integer.toString(this.slotIndex), "#keyid-", this.id.toLowerCase()});
        }

        protected Object execute0() throws Exception {
            KeyStore keyStore = KeyStore.getInstance("PKCS11", "XIPKI");
            keyStore.load(null, null);
            if (this.verbose.booleanValue()) {
                println("available aliases:");
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    println("    " + aliases.nextElement());
                }
            }
            String alias = getAlias();
            println("alias: " + alias);
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, null);
            if (privateKey == null) {
                println("could not find key with alias '" + alias + "'");
                return null;
            }
            Certificate certificate = keyStore.getCertificate(alias);
            if (certificate != null) {
                return execute1(privateKey, certificate);
            }
            println("could not find certificate to verify signature");
            return null;
        }
    }

    @Service
    @Command(scope = "qa", name = "p11prov-sm2-test", description = "test the SM2 implementation of Xipki PKCS#11 JCA/JCE provider")
    /* loaded from: input_file:org/xipki/qa/shell/QaP11Actions$P11provSm2Test.class */
    public static class P11provSm2Test extends P11SecurityAction {

        @Option(name = "--ida", description = "IDA (ID user A)")
        protected String ida;

        @Override // org.xipki.qa.shell.QaP11Actions.P11SecurityAction
        protected Object execute1(PrivateKey privateKey, Certificate certificate) throws Exception {
            println("signature algorithm: SM3withSM2");
            Signature signature = Signature.getInstance("SM3withSM2");
            if (StringUtil.isNotBlank(this.ida)) {
                signature.setParameter(new XiSM2ParameterSpec(StringUtil.toUtf8Bytes(this.ida)));
            }
            signature.initSign(privateKey);
            byte[] bArr = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
            signature.update(bArr);
            byte[] sign = signature.sign();
            println("signature created successfully");
            Signature signature2 = Signature.getInstance("SM3withSM2", "BC");
            if (StringUtil.isNotBlank(this.ida)) {
                signature2.setParameter(new SM2ParameterSpec(StringUtil.toUtf8Bytes(this.ida)));
            }
            signature2.initVerify(certificate.getPublicKey());
            signature2.update(bArr);
            println("signature valid: " + signature2.verify(sign));
            return null;
        }
    }

    @Service
    @Command(scope = "qa", name = "p11prov-test", description = "test the Xipki PKCS#11 JCA/JCE provider")
    /* loaded from: input_file:org/xipki/qa/shell/QaP11Actions$P11provTest.class */
    public static class P11provTest extends P11SecurityAction {

        @Option(name = "--hash", description = "hash algorithm name")
        @Completion(Completers.HashAlgCompleter.class)
        protected String hashAlgo = "SHA256";

        @Option(name = "--rsa-mgf1", description = "whether to use the RSAPSS MGF1 for the POPO computation\n(only applied to RSA key)")
        private Boolean rsaMgf1 = Boolean.FALSE;

        @Option(name = "--dsa-plain", description = "whether to use the Plain DSA for the POPO computation\n(only applied to ECDSA key)")
        private Boolean dsaPlain = Boolean.FALSE;

        @Option(name = "--gm", description = "whether to use the chinese GM algorithm for the POPO computation\n(only applied to EC key with GM curves)")
        private Boolean gm = Boolean.FALSE;

        @Override // org.xipki.qa.shell.QaP11Actions.P11SecurityAction
        protected Object execute1(PrivateKey privateKey, Certificate certificate) throws Exception {
            PublicKey publicKey = certificate.getPublicKey();
            String signatureAlgo = getSignatureAlgo(publicKey);
            println("signature algorithm: " + signatureAlgo);
            Signature signature = Signature.getInstance(signatureAlgo);
            signature.initSign(privateKey);
            byte[] bArr = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
            signature.update(bArr);
            byte[] sign = signature.sign();
            println("signature created successfully");
            Signature signature2 = Signature.getInstance(signatureAlgo, "BC");
            signature2.initVerify(publicKey);
            signature2.update(bArr);
            println("signature valid: " + signature2.verify(sign));
            return null;
        }

        private String getSignatureAlgo(PublicKey publicKey) throws NoSuchAlgorithmException {
            return AlgorithmUtil.getSignatureAlgoName(AlgorithmUtil.getSigAlgId(publicKey, HashAlgo.getNonNullInstance(this.hashAlgo), new SignatureAlgoControl(this.rsaMgf1.booleanValue(), this.dsaPlain.booleanValue(), this.gm.booleanValue())));
        }
    }
}
