package org.xipki.qa.shell;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.time.Duration;
import java.time.Instant;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import org.apache.karaf.shell.api.action.Command;
import org.apache.karaf.shell.api.action.Completion;
import org.apache.karaf.shell.api.action.Option;
import org.apache.karaf.shell.api.action.lifecycle.Reference;
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.apache.karaf.shell.support.completers.FileCompleter;
import org.bouncycastle.cert.ocsp.OCSPResp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xipki.ocsp.client.OcspRequestor;
import org.xipki.ocsp.client.RequestOptions;
import org.xipki.ocsp.client.shell.Actions;
import org.xipki.qa.BigIntegerRange;
import org.xipki.qa.FileBigIntegerIterator;
import org.xipki.qa.RangeBigIntegerIterator;
import org.xipki.qa.ValidationIssue;
import org.xipki.qa.ValidationResult;
import org.xipki.qa.ocsp.OcspBenchmark;
import org.xipki.qa.ocsp.OcspCertStatus;
import org.xipki.qa.ocsp.OcspError;
import org.xipki.qa.ocsp.OcspQa;
import org.xipki.qa.ocsp.OcspResponseOption;
import org.xipki.qa.shell.QaCompleters;
import org.xipki.security.CrlReason;
import org.xipki.security.HashAlgo;
import org.xipki.security.IssuerHash;
import org.xipki.security.SecurityFactory;
import org.xipki.security.SignAlgo;
import org.xipki.security.X509Cert;
import org.xipki.security.util.X509Util;
import org.xipki.shell.CmdFailure;
import org.xipki.shell.Completers;
import org.xipki.shell.IllegalCmdParamException;
import org.xipki.util.Args;
import org.xipki.util.CollectionUtil;
import org.xipki.util.DateUtil;
import org.xipki.util.IoUtil;
import org.xipki.util.LogUtil;
import org.xipki.util.RandomUtil;
import org.xipki.util.ReqRespDebug;
import org.xipki.util.StringUtil;
import org.xipki.util.TripleState;

/* loaded from: input_file:org/xipki/qa/shell/QaOcspActions.class */
public class QaOcspActions {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xipki.qa.shell.QaOcspActions$1, reason: invalid class name */
    /* loaded from: input_file:org/xipki/qa/shell/QaOcspActions$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xipki$security$CrlReason = new int[CrlReason.values().length];

        static {
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AA_COMPROMISE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CA_COMPROMISE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.AFFILIATION_CHANGED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CERTIFICATE_HOLD.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.CESSATION_OF_OPERATION.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.KEY_COMPROMISE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.PRIVILEGE_WITHDRAWN.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.SUPERSEDED.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xipki$security$CrlReason[CrlReason.UNSPECIFIED.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    @Service
    @Command(scope = "xiqa", name = "batch-ocsp-status", description = "batch request status of certificates (QA)")
    /* loaded from: input_file:org/xipki/qa/shell/QaOcspActions$BatchOcspQaStatusAction.class */
    public static class BatchOcspQaStatusAction extends Actions.CommonOcspStatusAction {
        private static final Logger LOG = LoggerFactory.getLogger(BatchOcspQaStatusAction.class);
        private static final String FILE_SEP = File.separator;

        @Option(name = "--resp-issuer", description = "certificate file of the responder's issuer")
        @Completion(FileCompleter.class)
        private String respIssuerFile;

        @Option(name = "--url", required = true, description = "OCSP responder URL")
        private String serverUrlStr;

        @Option(name = "--sn-file", required = true, description = "file containing the serial number and revocation information\nEach line starts with # for comment or is of following format\nserial-number[,status[,revocation-time]]")
        @Completion(FileCompleter.class)
        private String snFile;

        @Option(name = "--out-dir", required = true, description = "folder to save the request and response")
        @Completion(Completers.DirCompleter.class)
        private String outDirStr;

        @Option(name = "--unknown-as", description = "expected status for unknown certificate")
        @Completion(QaCompleters.CertStatusCompleter.class)
        private String unknownAs;

        @Option(name = "--exp-sig-alg", description = "expected signature algorithm")
        @Completion(Completers.SigAlgCompleter.class)
        private String sigAlgo;

        @Option(name = "--exp-certhash-alg", description = "occurrence of certHash")
        @Completion(Completers.HashAlgCompleter.class)
        private String certhashAlg;

        @Reference
        private SecurityFactory securityFactory;

        @Reference
        private OcspRequestor requestor;
        private TripleState expectedCerthashOccurrence;
        private TripleState expectedNextUpdateOccurrence;
        private TripleState expectedNonceOccurrence;

        @Option(name = "--hex", description = "serial number without prefix is hex number")
        private Boolean hex = Boolean.FALSE;

        @Option(name = "--save-req", description = "whether to save the request")
        private Boolean saveReq = Boolean.FALSE;

        @Option(name = "--save-resp", description = "whether to save the request")
        private Boolean saveResp = Boolean.FALSE;

        @Option(name = "--no-sig-verify", description = "where to verify the signature")
        private Boolean noSigVerify = Boolean.FALSE;

        @Option(name = "--exp-nextupdate", description = "occurrence of nextUpdate")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String nextUpdateOccurrenceText = TripleState.optional.name();

        @Option(name = "--exp-certhash", description = "occurrence of certHash, will be set to forbidden for status unknown and issuerUnknown")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String certhashOccurrenceText = TripleState.optional.name();

        @Option(name = "--exp-nonce", description = "occurrence of nonce")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String nonceOccurrenceText = TripleState.optional.name();

        protected final Object execute0() throws Exception {
            String str;
            String str2;
            this.expectedCerthashOccurrence = TripleState.valueOf(this.certhashOccurrenceText);
            this.expectedNextUpdateOccurrence = TripleState.valueOf(this.nextUpdateOccurrenceText);
            this.expectedNonceOccurrence = TripleState.valueOf(this.nonceOccurrenceText);
            File file = new File(this.outDirStr);
            File file2 = new File(file, "messages");
            file2.mkdirs();
            File file3 = new File(file, "details");
            file3.mkdirs();
            println("The result is saved in the folder " + file.getPath());
            String str3 = this.respIssuerFile != null ? "-CAfile ../../responder_issuer.pem" : "-no_cert_verify";
            String str4 = this.respIssuerFile != null ? "-CAfile ..\\..\\responder_issuer.pem" : "-no_cert_verify";
            String str5 = "openssl ocsp -text ";
            String str6 = "openssl ocsp -text ";
            String str7 = null;
            if (this.saveReq.booleanValue() && this.saveResp.booleanValue()) {
                str5 = str5 + str3 + " -reqin request.der -respin response.der";
                str6 = str6 + str4 + " -reqin request.der -respin response.der";
                str7 = new File(file, "verify-req-resp").getPath();
            } else if (this.saveReq.booleanValue()) {
                str5 = str5 + "-reqin request.der\n";
                str6 = str6 + "-reqin request.der\n";
                str7 = new File(file, "verify-req").getPath();
            } else if (this.saveResp.booleanValue()) {
                str5 = str5 + str3 + " -respin response.der\n";
                str6 = str6 + str4 + " -respin response.der\n";
                str7 = new File(file, "verify-resp").getPath();
            }
            if (str7 != null) {
                File file4 = new File(str7 + ".sh");
                IoUtil.save(file4, StringUtil.toUtf8Bytes("#!/bin/sh\n" + str5));
                IoUtil.save(str7 + ".bat", StringUtil.toUtf8Bytes("@echo off\r\n" + str6));
                file4.setExecutable(true);
            }
            X509Cert parseCert = X509Util.parseCert(new File(this.issuerCertFile));
            X509Cert x509Cert = null;
            if (this.respIssuerFile != null) {
                x509Cert = X509Util.parseCert(new File(this.respIssuerFile));
                IoUtil.save(new File(file, "responder-issuer.pem"), StringUtil.toUtf8Bytes(X509Util.toPemCert(x509Cert)));
            }
            RequestOptions requestOptions = getRequestOptions();
            IssuerHash issuerHash = new IssuerHash(requestOptions.getHashAlgorithm(), parseCert);
            int i = 0;
            int i2 = 0;
            OutputStream newOutputStream = Files.newOutputStream(Paths.get(file.getPath(), "overview.txt"), new OpenOption[0]);
            try {
                BufferedReader newBufferedReader = Files.newBufferedReader(Paths.get(this.snFile, new String[0]));
                try {
                    URL url = new URL(this.serverUrlStr);
                    OcspQa ocspQa = new OcspQa(this.securityFactory);
                    int i3 = 0;
                    int i4 = 0;
                    Instant now = Instant.now();
                    Instant ofEpochMilli = Instant.ofEpochMilli(0L);
                    while (true) {
                        String readLine = newBufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        i3++;
                        String trim = readLine.trim();
                        if (trim.startsWith("#") || trim.isEmpty()) {
                            newOutputStream.write(StringUtil.toUtf8Bytes(trim));
                            newOutputStream.write(10);
                        } else {
                            i4++;
                            String str8 = i3 + ": " + trim + ": ";
                            try {
                                if (processOcspQuery(ocspQa, trim, file2, file3, url, x509Cert, parseCert, issuerHash, requestOptions).isAllSuccessful()) {
                                    i++;
                                    str2 = str8 + "valid";
                                } else {
                                    i2++;
                                    str2 = str8 + "invalid";
                                }
                            } catch (Throwable th) {
                                LogUtil.error(LOG, th);
                                i2++;
                                str2 = str8 + "error - " + th.getMessage();
                            }
                            println(str2, newOutputStream);
                            Instant now2 = Instant.now();
                            if (Duration.between(ofEpochMilli, now2).toMillis() > 980) {
                                print("\rProcessed " + i4 + " requests in " + StringUtil.formatTime(Duration.between(now, now2).getSeconds(), false));
                                ofEpochMilli = now2;
                            }
                        }
                    }
                    byte[] nextBytes = RandomUtil.nextBytes(16);
                    nextBytes[0] = (byte) (Byte.MAX_VALUE & nextBytes[0]);
                    BigInteger bigInteger = new BigInteger(nextBytes);
                    String str9 = (i3 + 1) + ": " + bigInteger.toString(16) + ",unknown: ";
                    try {
                        if (processOcspQuery(ocspQa, bigInteger, OcspCertStatus.unknown, null, file2, file3, url, x509Cert, parseCert, issuerHash, requestOptions).isAllSuccessful()) {
                            i++;
                            str = str9 + "valid";
                        } else {
                            i2++;
                            str = str9 + "invalid";
                        }
                    } catch (Throwable th2) {
                        LogUtil.error(LOG, th2);
                        i2++;
                        str = str9 + "error - " + th2.getMessage();
                    }
                    print("\rProcessed " + (i4 + 1) + " requests in " + StringUtil.formatTime(Duration.between(now, Instant.now()).getSeconds(), false));
                    println("");
                    println(str, newOutputStream);
                    String concatObjectsCap = StringUtil.concatObjectsCap(200, "=====BEGIN SUMMARY=====", new Object[]{"\n       url: ", this.serverUrlStr, "\n       sum: ", Integer.valueOf(i2 + i), "\nsuccessful: ", Integer.valueOf(i), "\n    failed: ", Integer.valueOf(i2), "\n=====END SUMMARY====="});
                    println(concatObjectsCap);
                    println(concatObjectsCap, newOutputStream);
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    if (newOutputStream == null) {
                        return null;
                    }
                    newOutputStream.close();
                    return null;
                } finally {
                }
            } catch (Throwable th3) {
                if (newOutputStream != null) {
                    try {
                        newOutputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        }

        private ValidationResult processOcspQuery(OcspQa ocspQa, String str, File file, File file2, URL url, X509Cert x509Cert, X509Cert x509Cert2, IssuerHash issuerHash, RequestOptions requestOptions) throws Exception {
            OcspCertStatus ocspCertStatus;
            StringTokenizer stringTokenizer = new StringTokenizer(str, ",;:");
            int countTokens = stringTokenizer.countTokens();
            Instant instant = null;
            try {
                BigInteger bigInt = toBigInt(stringTokenizer.nextToken(), this.hex.booleanValue());
                if (countTokens > 1) {
                    String nextToken = stringTokenizer.nextToken();
                    if ("unknown".equalsIgnoreCase(nextToken)) {
                        ocspCertStatus = OcspCertStatus.unknown;
                    } else if ("good".equalsIgnoreCase(nextToken)) {
                        ocspCertStatus = OcspCertStatus.good;
                    } else {
                        CrlReason forNameOrText = CrlReason.forNameOrText(nextToken);
                        switch (AnonymousClass1.$SwitchMap$org$xipki$security$CrlReason[forNameOrText.ordinal()]) {
                            case 1:
                                ocspCertStatus = OcspCertStatus.aACompromise;
                                break;
                            case 2:
                                ocspCertStatus = OcspCertStatus.cACompromise;
                                break;
                            case 3:
                                ocspCertStatus = OcspCertStatus.affiliationChanged;
                                break;
                            case 4:
                                ocspCertStatus = OcspCertStatus.certificateHold;
                                break;
                            case 5:
                                ocspCertStatus = OcspCertStatus.cessationOfOperation;
                                break;
                            case 6:
                                ocspCertStatus = OcspCertStatus.keyCompromise;
                                break;
                            case 7:
                                ocspCertStatus = OcspCertStatus.privilegeWithdrawn;
                                break;
                            case 8:
                                ocspCertStatus = OcspCertStatus.superseded;
                                break;
                            case 9:
                                ocspCertStatus = OcspCertStatus.unspecified;
                                break;
                            default:
                                throw new Exception("invalid reason " + forNameOrText);
                        }
                    }
                } else {
                    ocspCertStatus = OcspCertStatus.good;
                }
                if (countTokens > 2 && ocspCertStatus != OcspCertStatus.good && ocspCertStatus != OcspCertStatus.unknown) {
                    instant = DateUtil.parseUtcTimeyyyyMMddhhmmss(stringTokenizer.nextToken());
                }
                return processOcspQuery(ocspQa, bigInt, ocspCertStatus, instant, file, file2, url, x509Cert, x509Cert2, issuerHash, requestOptions);
            } catch (Exception e) {
                LogUtil.warn(LOG, e, "Could not parse line '" + str + "'");
                throw new IllegalArgumentException("illegal line");
            }
        }

        private ValidationResult processOcspQuery(OcspQa ocspQa, BigInteger bigInteger, OcspCertStatus ocspCertStatus, Instant instant, File file, File file2, URL url, X509Cert x509Cert, X509Cert x509Cert2, IssuerHash issuerHash, RequestOptions requestOptions) throws Exception {
            byte[] response;
            byte[] request;
            byte[] response2;
            byte[] request2;
            if (ocspCertStatus == OcspCertStatus.unknown && isNotBlank(this.unknownAs)) {
                ocspCertStatus = OcspCertStatus.forName(this.unknownAs);
            }
            ReqRespDebug reqRespDebug = (this.saveReq.booleanValue() || this.saveResp.booleanValue()) ? new ReqRespDebug(this.saveReq.booleanValue(), this.saveResp.booleanValue()) : null;
            try {
                OCSPResp ask = this.requestor.ask(x509Cert2, bigInteger, url, requestOptions, reqRespDebug);
                if (reqRespDebug != null && reqRespDebug.size() > 0) {
                    ReqRespDebug.ReqRespPair reqRespPair = reqRespDebug.get(0);
                    String bigInteger2 = bigInteger.toString(16);
                    if (this.saveReq.booleanValue() && (request2 = reqRespPair.getRequest()) != null) {
                        IoUtil.save(new File(file, bigInteger2 + FILE_SEP + "request.der"), request2);
                    }
                    if (this.saveResp.booleanValue() && (response2 = reqRespPair.getResponse()) != null) {
                        IoUtil.save(new File(file, bigInteger2 + FILE_SEP + "response.der"), response2);
                    }
                }
                OcspResponseOption ocspResponseOption = new OcspResponseOption();
                ocspResponseOption.setNextUpdateOccurrence(this.expectedNextUpdateOccurrence);
                ocspResponseOption.setCerthashOccurrence(this.expectedCerthashOccurrence);
                ocspResponseOption.setNonceOccurrence(this.expectedNonceOccurrence);
                ocspResponseOption.setRespIssuer(x509Cert);
                if (isNotBlank(this.sigAlgo)) {
                    ocspResponseOption.setSignatureAlg(SignAlgo.getInstance(this.sigAlgo));
                }
                if (isNotBlank(this.certhashAlg)) {
                    ocspResponseOption.setCerthashAlg(HashAlgo.getInstance(this.certhashAlg));
                }
                ValidationResult checkOcsp = ocspQa.checkOcsp(ask, issuerHash, bigInteger, (byte[]) null, ocspCertStatus, ocspResponseOption, instant, this.noSigVerify.booleanValue());
                String str = checkOcsp.isAllSuccessful() ? "valid" : "invalid";
                String bigInteger3 = bigInteger.toString(16);
                StringBuilder sb = new StringBuilder("OCSP response for ");
                sb.append(bigInteger).append(" (0x").append(bigInteger3).append(") is ").append(str);
                for (ValidationIssue validationIssue : checkOcsp.getValidationIssues()) {
                    sb.append("\n");
                    OcspQaStatusAction.format(validationIssue, "    ", sb);
                }
                IoUtil.save(new File(file2, bigInteger3 + "." + str), StringUtil.toUtf8Bytes(sb.toString()));
                return checkOcsp;
            } catch (Throwable th) {
                if (reqRespDebug != null && reqRespDebug.size() > 0) {
                    ReqRespDebug.ReqRespPair reqRespPair2 = reqRespDebug.get(0);
                    String bigInteger4 = bigInteger.toString(16);
                    if (this.saveReq.booleanValue() && (request = reqRespPair2.getRequest()) != null) {
                        IoUtil.save(new File(file, bigInteger4 + FILE_SEP + "request.der"), request);
                    }
                    if (this.saveResp.booleanValue() && (response = reqRespPair2.getResponse()) != null) {
                        IoUtil.save(new File(file, bigInteger4 + FILE_SEP + "response.der"), response);
                    }
                }
                throw th;
            }
        }

        private void println(String str, OutputStream outputStream) throws IOException {
            outputStream.write(StringUtil.toUtf8Bytes(str));
            outputStream.write(10);
        }
    }

    @Service
    @Command(scope = "xiqa", name = "benchmark-ocsp-status", description = "OCSP benchmark")
    /* loaded from: input_file:org/xipki/qa/shell/QaOcspActions$BenchmarkOcspStatusAction.class */
    public static class BenchmarkOcspStatusAction extends Actions.CommonOcspStatusAction {

        @Option(name = "--serial", aliases = {"-s"}, description = "comma-separated serial numbers or ranges (like 1,3,6-10)\n(exactly one of serial, serial-file and cert must be specified)")
        private String serialNumberList;

        @Option(name = "--serial-file", description = "file that contains serial numbers")
        @Completion(FileCompleter.class)
        private String serialNumberFile;

        @Option(name = "--cert", multiValued = true, description = "certificate files")
        @Completion(FileCompleter.class)
        private List<String> certFiles;

        @Option(name = "--url", required = true, description = "OCSP responder URL")
        private String serverUrl;

        @Option(name = "--hex", description = "serial number without prefix is hex number")
        private Boolean hex = Boolean.FALSE;

        @Option(name = "--duration", description = "duration")
        private String duration = "30s";

        @Option(name = "--thread", description = "number of threads")
        private Integer numThreads = 5;

        @Option(name = "--max-num", description = "maximal number of OCSP queries\n0 for unlimited")
        private Integer maxRequests = 0;

        protected Object execute0() throws Exception {
            FileBigIntegerIterator rangeBigIntegerIterator;
            int i = this.serialNumberList != null ? 0 + 1 : 0;
            if (this.serialNumberFile != null) {
                i++;
            }
            if (CollectionUtil.isNotEmpty(this.certFiles)) {
                i++;
            }
            if (i != 1) {
                throw new IllegalCmdParamException("exactly one of serial, serial-file and cert must be specified");
            }
            if (this.numThreads.intValue() < 1) {
                throw new IllegalCmdParamException("invalid number of threads " + this.numThreads);
            }
            if (this.serialNumberFile != null) {
                rangeBigIntegerIterator = new FileBigIntegerIterator(IoUtil.expandFilepath(this.serialNumberFile), this.hex.booleanValue(), true);
            } else {
                LinkedList linkedList = new LinkedList();
                if (this.serialNumberList != null) {
                    StringTokenizer stringTokenizer = new StringTokenizer(this.serialNumberList, ", ");
                    while (stringTokenizer.hasMoreTokens()) {
                        StringTokenizer stringTokenizer2 = new StringTokenizer(stringTokenizer.nextToken(), "-");
                        BigInteger bigInt = toBigInt(stringTokenizer2.nextToken(), this.hex.booleanValue());
                        linkedList.add(new BigIntegerRange(bigInt, stringTokenizer2.hasMoreTokens() ? toBigInt(stringTokenizer2.nextToken(), this.hex.booleanValue()) : bigInt));
                    }
                } else {
                    for (String str : this.certFiles) {
                        try {
                            BigInteger serialNumber = X509Util.parseCert(new File(str)).getSerialNumber();
                            linkedList.add(new BigIntegerRange(serialNumber, serialNumber));
                        } catch (Exception e) {
                            throw new IllegalCmdParamException("invalid certificate file  '" + str + "'", e);
                        }
                    }
                }
                rangeBigIntegerIterator = new RangeBigIntegerIterator(linkedList, true);
            }
            try {
                new OcspBenchmark(X509Util.parseCert(new File(this.issuerCertFile)), this.serverUrl, getRequestOptions(), rangeBigIntegerIterator, this.maxRequests.intValue(), StringUtil.concatObjects("issuer cert: ", new Object[]{this.issuerCertFile, "\nserver URL: ", this.serverUrl, "\nmaxRequest: ", this.maxRequests, "\nhash: ", this.hashAlgo})).setDuration(this.duration).setThreads(this.numThreads.intValue()).execute();
                if (!(rangeBigIntegerIterator instanceof FileBigIntegerIterator)) {
                    return null;
                }
                rangeBigIntegerIterator.close();
                return null;
            } catch (Throwable th) {
                if (rangeBigIntegerIterator instanceof FileBigIntegerIterator) {
                    rangeBigIntegerIterator.close();
                }
                throw th;
            }
        }
    }

    @Service
    @Command(scope = "xiqa", name = "qa-ocsp-status", description = "request certificate status (QA)")
    /* loaded from: input_file:org/xipki/qa/shell/QaOcspActions$OcspQaStatusAction.class */
    public static class OcspQaStatusAction extends Actions.BaseOcspStatusAction {

        @Option(name = "--exp-error", description = "expected error")
        @Completion(QaCompleters.OcspErrorCompleter.class)
        private String errorText;

        @Option(name = "--exp-status", multiValued = true, description = "expected status")
        @Completion(QaCompleters.CertStatusCompleter.class)
        private List<String> statusTexts;

        @Option(name = "--rev-time", multiValued = true, description = "revocation time, UTC time of format yyyyMMddHHmmss")
        private List<String> revTimeTexts;

        @Option(name = "--exp-sig-alg", description = "expected signature algorithm")
        @Completion(Completers.SigAlgCompleter.class)
        private String sigAlgo;

        @Option(name = "--exp-certhash-alg", description = "occurrence of certHash")
        @Completion(Completers.HashAlgCompleter.class)
        private String certhashAlg;

        @Reference
        private SecurityFactory securityFactory;
        private OcspQa ocspQa;
        private OcspError expectedOcspError;
        private Map<BigInteger, OcspCertStatus> expectedStatuses;
        private Map<BigInteger, Instant> expectedRevTimes;
        private TripleState expectedNextUpdateOccurrence;
        private TripleState expectedCerthashOccurrence;
        private TripleState expectedNonceOccurrence;

        @Option(name = "--no-sig-verify", description = "no verification of the signature")
        private Boolean noSigVerify = Boolean.FALSE;

        @Option(name = "--exp-nextupdate", description = "occurrence of nextUpdate")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String nextUpdateOccurrenceText = TripleState.optional.name();

        @Option(name = "--exp-certhash", description = "occurrence of certHash, will be set to forbidden for status unknown and issuerUnknown")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String certhashOccurrenceText = TripleState.optional.name();

        @Option(name = "--exp-nonce", description = "occurrence of nonce")
        @Completion(QaCompleters.OccurrenceCompleter.class)
        private String nonceOccurrenceText = TripleState.optional.name();

        protected void checkParameters(X509Cert x509Cert, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
            Args.notEmpty(list, "serialNunmbers");
            if (isBlank(this.errorText) && isEmpty(this.statusTexts)) {
                throw new IllegalArgumentException("neither expError nor expStatus is set, this is not permitted");
            }
            if (isNotBlank(this.errorText) && isNotEmpty(this.statusTexts)) {
                throw new IllegalArgumentException("both expError and expStatus are set, this is not permitted");
            }
            if (isNotBlank(this.errorText)) {
                this.expectedOcspError = OcspError.forName(this.errorText);
            }
            if (isNotEmpty(this.statusTexts)) {
                if (this.statusTexts.size() != list.size()) {
                    throw new IllegalArgumentException("number of expStatus is invalid: " + this.statusTexts.size() + ", it should be " + list.size());
                }
                this.expectedStatuses = new HashMap();
                int size = list.size();
                for (int i = 0; i < size; i++) {
                    this.expectedStatuses.put(list.get(i), OcspCertStatus.forName(this.statusTexts.get(i)));
                }
            }
            if (isNotEmpty(this.revTimeTexts)) {
                if (this.revTimeTexts.size() != list.size()) {
                    throw new IllegalArgumentException("number of revTimes is invalid: " + this.revTimeTexts.size() + ", it should be " + list.size());
                }
                this.expectedRevTimes = new HashMap();
                int size2 = list.size();
                for (int i2 = 0; i2 < size2; i2++) {
                    this.expectedRevTimes.put(list.get(i2), DateUtil.parseUtcTimeyyyyMMddhhmmss(this.revTimeTexts.get(i2)));
                }
            }
            this.expectedCerthashOccurrence = TripleState.valueOf(this.certhashOccurrenceText);
            this.expectedNextUpdateOccurrence = TripleState.valueOf(this.nextUpdateOccurrenceText);
            this.expectedNonceOccurrence = TripleState.valueOf(this.nonceOccurrenceText);
        }

        protected void processResponse(OCSPResp oCSPResp, X509Cert x509Cert, IssuerHash issuerHash, List<BigInteger> list, Map<BigInteger, byte[]> map) throws Exception {
            OcspResponseOption ocspResponseOption = new OcspResponseOption();
            ocspResponseOption.setNextUpdateOccurrence(this.expectedNextUpdateOccurrence);
            ocspResponseOption.setCerthashOccurrence(this.expectedCerthashOccurrence);
            ocspResponseOption.setNonceOccurrence(this.expectedNonceOccurrence);
            ocspResponseOption.setRespIssuer(x509Cert);
            if (isNotBlank(this.sigAlgo)) {
                ocspResponseOption.setSignatureAlg(SignAlgo.getInstance(this.sigAlgo));
            }
            if (isNotBlank(this.certhashAlg)) {
                ocspResponseOption.setCerthashAlg(HashAlgo.getInstance(this.certhashAlg));
            }
            if (this.ocspQa == null) {
                this.ocspQa = new OcspQa(this.securityFactory);
            }
            ValidationResult checkOcsp = this.expectedOcspError != null ? this.ocspQa.checkOcsp(oCSPResp, this.expectedOcspError) : this.ocspQa.checkOcsp(oCSPResp, issuerHash, list, map, this.expectedStatuses, this.expectedRevTimes, ocspResponseOption, this.noSigVerify.booleanValue());
            StringBuilder sb = new StringBuilder(50);
            sb.append("OCSP response is ").append(checkOcsp.isAllSuccessful() ? "valid" : "invalid");
            if (this.verbose.booleanValue()) {
                for (ValidationIssue validationIssue : checkOcsp.getValidationIssues()) {
                    sb.append("\n");
                    format(validationIssue, "    ", sb);
                }
            } else {
                for (ValidationIssue validationIssue2 : checkOcsp.getValidationIssues()) {
                    if (validationIssue2.isFailed()) {
                        sb.append("\n");
                        format(validationIssue2, "    ", sb);
                    }
                }
            }
            println(sb.toString());
            if (!checkOcsp.isAllSuccessful()) {
                throw new CmdFailure("OCSP response is invalid");
            }
        }

        static void format(ValidationIssue validationIssue, String str, StringBuilder sb) {
            sb.append(str).append(validationIssue.getCode()).append(", ").append(validationIssue.getDescription());
            sb.append(", ").append(validationIssue.isFailed() ? "failed" : "successful");
            if (validationIssue.getFailureMessage() != null) {
                sb.append(", ").append(validationIssue.getFailureMessage());
            }
        }
    }
}
